Best practices for service provider?

Soren Worach soren3 at gmail.com
Fri Nov 18 16:16:51 PST 2005


On Friday 18 November 2005 18:26, Danny Fullerrton wrote:
> David Pierron wrote:
> > This is a loaded question so please bear with me.   I could really use
> > the advice/help.
> >
> > I am coming from a FreeBSD 4.9 IPLess IPFW Bridging Firewall ...  I
> > had followed the directions from the FreeBSD Handbook ...  Recently it
> > crashed, so I had to rebuild it, uhm ... quickly ...
> >
> > This time I decided to include a 3rd NIC so that I could get the
> > nightly emails and pay a bit better attention to its status ...  It is
> > working, but giving me some errors about arp: xx:xx:xx:xx:xx:xx is
> > using my IP address my.c.class.xx!  I have been scouring the Internet
> > for information, and I decided to give PF a try ...  I installed
> > OpenBSD 3.8 but didn't like its CLI interface ...  Not that I use a
> > GUI, I don't ... I just hop around much better on FreeBSD ...
> >
> > I drew a picture of what I am envisioning as a firewall solution for
> > me here:
> > http://www.davidpierron.com/img/net-map.jpg
> >
> > I installed FreeBSD 6.0 and cvsup'd ports and src ... put the
> > following into GENERIC:
> >
> > # to allow bridge support
> > device if_bridge
> >
> > #PF
> > device    pf
> > device    pflog
> > device    pfsync
> >
> > #ALTQ
> > options         ALTQ
> > options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
> > options         ALTQ_RED        # Random Early Detection (RED)
> > options         ALTQ_RIO        # RED In/Out
> > options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
> > options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
> > #options         ALTQ_NOPCC      # Required for SMP build
> >
> > # other stuff
> > options IPSTEALTH
> > options HZ=1000
> >
> > I put the following into rc.conf:
> >
> > defaultrouter="my.c.class.1"
> > hostname="firewall.foo.org"
> > ifconfig_xl0="inet my.c.class.2  netmask 255.255.255.0"
> > usbd_enable="NO"
> > sendmail_enable="NO"
> >
> > cloned_interfaces="bridge0"          # create a bridge
> > ifconfig_bridge0="addm rl0 addm rl1" # set bridge to use particular NICs
> > #gateway_enable="YES"
> >
> > pf_enable="YES"                      # Enable PF (load module if
> > required)
> > pf_rules="/etc/pf.conf"              # rules definition file for pf
> > pf_flags=""                          # additional flags for pfctl startup
> > pflog_enable="YES"                   # start pflogd(8)
> > pflog_logfile="/var/log/pflog"       # where pflogd should store the
> > logfile
> > pflog_flags=""                       # additional flags for pflogd
> > startup
> >
> > .. and into sysctl.conf:
> >
> > net.link.bridge.pfil_bridge=1    # enables packet filtering on bridge
> > net.link.bridge.pfil_member=1    # enables packet filtering on in and
> > out interfaces
> > #net.inet.ip.forwarding=1         # instead of gateway_enable in rc.conf?
> >
> > I am running into one of two things ... Trying to find information
> > that isn't widely available yet, or trying to figure this out from old
> > posts that don't apply anymore ...  The other thing going against me
> > is that I haven't seen anything that resembles my setup ...  I am not
> > running any NAT ...  I am using real world routable IP addresses ... I
> > am assuming I need a 3rd NIC to be separate from the firewall ...
>
> You can use firewalled interface or bridge interface as normal interface
> too. It's only depending on your config. You'll find lots of stuff on
> google refering to a setup like yours but when searching for OpenBSD stuff.
>
> > From my recent readings of this lists archives, it doesn't seem that I
> > would want to run a bridge ...  It won't allow me to keep state ...
> > If this is the case, how do I not assign the network cards that will
> > be doing the filtering no ip address?  I tried some interesting
> > combinations with ifconfig in rc.conf, but they didn't work ...  When
> > I thought everything was up and running correctly, I put this box
> > between my router and switch but traffic didn't flow ... I could ping
> > internally, but could not ping the router's address which is the
> > gateway (x.x.x.1) ...  I assumed that the internal pinging was working
> > on the 3rd NIC with the real IP address ...
>
> Statefull mode is working in bridge mode using OpenBSD PF. But I dont
> known if it's presently the case with the FreeBSD implementation.

it _is_ the case, pf supports statefull with bridging. I'm using 6.0 since 
betaX on a couple of setups like this.


>
> > My question is, can I use two NICs for PF to do firewalling on to put
> > between the router and the switch and then plug the 3rd NIC in and
> > have it act as a separate interface on the box, or should I simply use
> > 2 NICs and assign them real IP addresses ...  If I do that, will
> > IPSTEALTH compiled into the kernel not show the presence of the
> > filtering?
>
> As I said, you could use this kind of setup (3 card to keep it simple
> logic) or ,while using 2 interface in bridge mode, use 1 of them with an
> internal ip address (bridge and standard).
>
> > I think I have successfully confused myself with redundant or old
> > information out there on the 'net, so again ... any suggestions or
> > advice on what I am trying to accomplish would be greatly appreciated.

please post your pf.conf.

> >
> > Thank you for reading,
> > David Pierron
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
> You should begin by playing with Packet Filter while being in bridge
> mode and gradually including feature like the management ip/interface
> before going to far and not understanding.
>
> Danny Fullerton
> ----------------------
> IT Security Specialist
> dfullerton at mantor.org
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"


More information about the freebsd-pf mailing list