FBSD6 if_bridge

Bruce A. Mah bmah at freebsd.org
Sun Dec 4 02:39:24 GMT 2005 

If memory serves me right, David Pierron wrote:
> Bruce A. Mah on 12/02/2005 8:02 PM wrote:
> 
> 
>>If memory serves me right, David Pierron wrote:

>>>Anyway, I'll report on the ifconfig_inf(x)="up" and see if that is the ticket ...
>>>   
>>>
>>
>>Looking forward to hearing the good news...
>>
> 
> Excuse my French but, OMFG!  That was it!

[snip]

Cool!

> I had seen that as part of the OBSD setup ... but I thought that was the 
> way OBSD worked or something because these statements were not necessary 
> for the IPFW BRIDGE setup I have in place now ...
> 
> I stuffed those CAT5 puppies into the NICs for about 5 minutes maybe ... 
> Got 4100 lines of blocks from the two interfaces ... (They were all 
> "block in" btw) ... Here I thought there wasn't that much traffic at 
> this time of the AM ...  Now will compose a ruleset before I start using 
> it again ...
> 
> Viewing with tcpdump -n -e -ttt -r /var/log/pflog ...  WAY more detailed 
> than the IPFW BRIDGE ...  Just seeing the DNS queries to the name 
> servers ... NEAT!  I even see how noisy the Windows machines are ... so 
> many broadcasts ... I have a colo here, and I see he has DHCP running 
> ...  Why?  I will ask him later today ...

pflog(4) is quite useful.  I used it a lot while trying to figure out my
own firewall rules.  I came from a m0n0wall setup where I didn't really
write or understand the firewall rules, and before that I was doing
ipfw.  So this was helpful to figure out how PF rules worked (or
sometimes didn't).

> Thanks ever so much!  I popped your name in the HOW-TO I am creating @ 
> http://test.davidpierron.com/fbsd-pf.php

Aw shucks.....I'm just glad to have been of some help to someone else.

(Neat writeup BTW...I want to look into pftop in my Copious Spare Time
(TM).)

Cheers,

Bruce.

PS.  Although you explicitly stated in your writeup that you didn't need
a NAT, I wanted to mention that the only way I've seen a NAT and a
bridge work together on the same machine is if the bridge is implemented
with if_bridge(4) (i.e. not bridge(4) or ng_bridge(4)).  This seems to
be a fairly common issue for m0n0wall users...I must have answered this
question a dozen times over the past two years for various people.

Basically if you assign an IP address to bridge0 and NAT with that as
the external address, It Just Works (TM).  On bridges implemented with
bridge(4), it's impossible for hosts on the NAT subnet to communicate
correctly with machines on both/all sides of the bridge.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20051203/863032b2/signature.bin

More information about the freebsd-pf mailing list