pf + bridge

Ryan Stark syah at io.com
Mon Apr 18 23:53:25 PDT 2005 

On Tue, 19 Apr 2005 00:02:37 +0200
Guy Brand <gb at isis.u-strasbg.fr> wrote:

> On 11 April at 13:20, Sergey Lyubka wrote:
> 
> > I am trying to build a transparent filtering box.
> > Box is running freebsd 5.4, pf and bridge, this is
> > the setup:
> 
>   FreeBSD has no support for pf in its bridge code. Neither has it
>   IPv6 support.
> 
I have been using using FreeBSD & pf as a transparent bridge since 5.2.
(Before that, I was using OpenBSD & pf)

Mine looks something like this:

in
  |
  | fxp0, 0.0.0.0
 -----
|     |
|     |--- fxp1, (internal admin interface)
|     |
 -----
  |
  | fxp1, 0.0.0.0

cat /etc/sysctl.conf

#bridging enable for fxp0,fxp1
net.link.ether.bridge.config=fxp0:0,fxp1:0
net.link.ether.bridge.enable=1

cat rc.conf

pflog_enable="YES"    
# Set to YES to enable packet filter logging

pf_rules="/etc/host.pf.conf"  
# rules definition file for pf. different than default. mergemaster
# likes to clobber default

pflog_enable="YES"    
# Set to YES to enable packet filter logging



ifconfig

fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500 options=48<VLAN_MTU,POLLING>
        ether 00:90:27:59:03:71
        media: Ethernet autoselect (10baseT/UTP)
        status: active
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500 options=48<VLAN_MTU,POLLING>
        ether 00:a0:c9:d8:8f:b1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

slightly dated, but fully functional <scrubbed> ruleset can be found
here:

http://www.io.com/sirius/pf.conf-3.3.example

Hope that might clear up any confusion.

With regards to Sergey's original question; I have not
played with the web proxy on the bridge, however I have used the
ftp proxy module on my NAT- gateway machine with no problems. Maybe
using there would work better?

-- 
Ryan Stark | syah io com
BOFH excuse #365:

parallel processors running perpendicular today

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050419/bee2880b/attachment.bin

More information about the freebsd-pf mailing list