Network bridge with IPFW, can't get it working
Martin Tournoy
carpetsmoker at gmail.com
Wed Mar 8 13:13:04 UTC 2006
Here's the situation:
I work at a computer repair shop, as we all know viruses, ad-ware and
other mal-ware is a huge problem in the windows world, and a lot of people
come to us to have their pc's cleaned up.
Some of those programs spread themselves actively, or are used as "zombie
computers", which is somewhat of a problem for us because it can infect
other PCs on the net, also our ISP (temporarily) shut us down some time
ago for security reasons.
We have a firewall on our router, but it only blocks incoming traffic from
the net, which makes life a bit easyer because we don't have to open up
ports for all kind of programs all the time.
Since we more or less need internet on infected PC's (to download
virus-scanners, updates, etc.), I'm trying to setup a bridge with a
firewall (IPFW), which should separate filter any bad traffic before it
goes to the internet.
Problem is, it doesn't work(which is secure, but not quite what I
intended).
The bridge works fine, if I shut down IPFW (or tell IPFW to allow
everything) I have network access, so no problems there...
If I scan for DHCP servers, It finds the server and DNS, but doesn't get
an IP-adress (?!) for some reason, no matter what I do...
My rc.firewall is attached, I made it as simple as possible, complexity
and spiffy features can always be added later, let's get the thing working
first...
I would really appreciate it if someone looked over it, there are probably
errors in there.
What the REAL problem is, is that I'm a real novice at firewalls, and some
things really confuse me, more specifically:
- The 'bridged' keyword, does it HAVE to be added to every rule? or is it
just recommended? or just specific rules?
- Which ports do I need to open? I think I have all I need now (DHCP, DNS,
http, https, ping), maybe there's some hidden port I forgot?
- Should I use PF? (Is it easyer for a novice?)
- Should I just setup a separate LAN? Bridging seems simpler, but doesn't
seem to be very common/well documented...
I don't think it matters, but just in case:
I'm using two 3Com 3C905B-TX NIC's (xl)
My uname -a is:
FreeBSD filtershit.ictwerkplaats.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE
#0: Wed Feb 22 12:47:58 UTC 2006
carpetsmoker at .ictwerkplaats.org:/usr/obj/usr/src/sys/FILTERSHIT i387
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc.firewall
Type: application/octet-stream
Size: 1543 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060308/53132d1c/rc.obj
More information about the freebsd-questions
mailing list