Network bridge with IPFW, can't get it working

Martin Tournoy carpetsmoker at gmail.com
Wed Mar 8 13:13:04 UTC 2006 

Here's the situation:
I work at a computer repair shop, as we all know viruses, ad-ware and  
other mal-ware is a huge problem in the windows world, and a lot of people  
come to us to have their pc's cleaned up.

Some of those programs spread themselves actively, or are used as "zombie  
computers", which is somewhat of a problem for us because it can infect  
other PCs on the net, also our ISP (temporarily) shut us down some time  
ago for security reasons.

We have a firewall on our router, but it only blocks incoming traffic from  
the net, which makes life a bit easyer because we don't have to open up  
ports for all kind of programs all the time.

Since we more or less need internet on infected PC's (to download  
virus-scanners, updates, etc.),  I'm trying to setup a bridge with a  
firewall (IPFW), which should separate filter any bad traffic before it  
goes to the internet.

Problem is, it doesn't work(which is secure, but not quite what I  
intended).

The bridge works fine, if I shut down IPFW (or tell IPFW to allow  
everything) I have network access, so no problems there...

If I scan for DHCP servers, It finds the server and DNS, but doesn't get  
an IP-adress (?!) for some reason, no matter what I do...

My rc.firewall is attached, I made it as simple as possible, complexity  
and spiffy features can always be added later, let's get the thing working  
first...
I would really appreciate it if someone looked over it, there are probably  
errors in there.

What the REAL problem is, is that I'm a real novice at firewalls, and some  
things really confuse me, more specifically:

- The 'bridged' keyword, does it HAVE to be added to every rule? or is it  
just recommended? or just specific rules?

- Which ports do I need to open? I think I have all I need now (DHCP, DNS,  
http, https, ping), maybe there's some hidden port I forgot?

- Should I use PF? (Is it easyer for a novice?)

- Should I just setup a separate LAN? Bridging seems simpler, but doesn't  
seem to be very common/well documented...

I don't think it matters, but just in case:
I'm using two 3Com 3C905B-TX NIC's (xl)

My uname -a is:
FreeBSD filtershit.ictwerkplaats.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE  
#0: Wed Feb 22 12:47:58 UTC 2006      
carpetsmoker at .ictwerkplaats.org:/usr/obj/usr/src/sys/FILTERSHIT  i387
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc.firewall
Type: application/octet-stream
Size: 1543 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060308/53132d1c/rc.obj

More information about the freebsd-questions mailing list