Best practices for service provider?
David Pierron
david at wombatsweb.com
Fri Nov 18 09:01:42 PST 2005
This is a loaded question so please bear with me. I could really use
the advice/help.
I am coming from a FreeBSD 4.9 IPLess IPFW Bridging Firewall ... I had
followed the directions from the FreeBSD Handbook ... Recently it
crashed, so I had to rebuild it, uhm ... quickly ...
This time I decided to include a 3rd NIC so that I could get the nightly
emails and pay a bit better attention to its status ... It is working,
but giving me some errors about arp: xx:xx:xx:xx:xx:xx is using my IP
address my.c.class.xx! I have been scouring the Internet for
information, and I decided to give PF a try ... I installed OpenBSD 3.8
but didn't like its CLI interface ... Not that I use a GUI, I don't ...
I just hop around much better on FreeBSD ...
I drew a picture of what I am envisioning as a firewall solution for me
here:
http://www.davidpierron.com/img/net-map.jpg
I installed FreeBSD 6.0 and cvsup'd ports and src ... put the following
into GENERIC:
# to allow bridge support
device if_bridge
#PF
device pf
device pflog
device pfsync
#ALTQ
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
#options ALTQ_NOPCC # Required for SMP build
# other stuff
options IPSTEALTH
options HZ=1000
I put the following into rc.conf:
defaultrouter="my.c.class.1"
hostname="firewall.foo.org"
ifconfig_xl0="inet my.c.class.2 netmask 255.255.255.0"
usbd_enable="NO"
sendmail_enable="NO"
cloned_interfaces="bridge0" # create a bridge
ifconfig_bridge0="addm rl0 addm rl1" # set bridge to use particular NICs
#gateway_enable="YES"
pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
... and into sysctl.conf:
net.link.bridge.pfil_bridge=1 # enables packet filtering on bridge
net.link.bridge.pfil_member=1 # enables packet filtering on in and out interfaces
#net.inet.ip.forwarding=1 # instead of gateway_enable in rc.conf?
I am running into one of two things ... Trying to find information that
isn't widely available yet, or trying to figure this out from old posts
that don't apply anymore ... The other thing going against me is that I
haven't seen anything that resembles my setup ... I am not running any
NAT ... I am using real world routable IP addresses ... I am assuming I
need a 3rd NIC to be separate from the firewall ...
From my recent readings of this lists archives, it doesn't seem that I
would want to run a bridge ... It won't allow me to keep state ... If
this is the case, how do I not assign the network cards that will be
doing the filtering no ip address? I tried some interesting
combinations with ifconfig in rc.conf, but they didn't work ... When I
thought everything was up and running correctly, I put this box between
my router and switch but traffic didn't flow ... I could ping
internally, but could not ping the router's address which is the gateway
(x.x.x.1) ... I assumed that the internal pinging was working on the
3rd NIC with the real IP address ...
My question is, can I use two NICs for PF to do firewalling on to put
between the router and the switch and then plug the 3rd NIC in and have
it act as a separate interface on the box, or should I simply use 2 NICs
and assign them real IP addresses ... If I do that, will IPSTEALTH
compiled into the kernel not show the presence of the filtering?
I think I have successfully confused myself with redundant or old
information out there on the 'net, so again ... any suggestions or
advice on what I am trying to accomplish would be greatly appreciated.
Thank you for reading,
David Pierron
More information about the freebsd-pf
mailing list