Best practices for service provider?

Bruno Tavares brunotm at gmail.com
Sat Nov 19 11:51:57 PST 2005


On Saturday 19 November 2005 17:09, David Pierron wrote:
> Whoa ... we're not even there yet ... I am trying to get the hardware
> configured ... I am not clear as to the parameters required for the
> bridge or the options to allow IP Forwarding across the bridge and
> keeping the 3rd NIC separate ...  I set up a simple pf.conf to block all
> traffic:
>
> scrub in all
> block out log on $ext_if all
> block in  log on $ext_if all
>
> I saw no activity logged at all when I attached cables from the router
> and then to the switch ...

The 3rd interface will do nothing within the bridge(they will bridge the 
traffic only between themselves )
try passing traffic on all bridge interfaces (including bridge0) by default 
and check what address the bridge have learned with `ifconfig addr bridge0`

>
> I think my initial problem when installing the 3 NICs and giving one an
> IP address is that they all use the default gateway ... Do I need to
> install the gateway just to the 3rd NIC somehow? (which I would call the
> management NIC) ... Should I remove "defaultrouter="x.x.x.1"" from
> rc.conf?  I would have thought the bridge would live in his own space ...

the bridging interfaces will only touch that if you give them ip addresses,
which you don't need to since you have a 3rd interface for management.

>
> The bridge just needs to filter packets not caring about its own IP
> addresses ...  I would be able to deny or throttle by destination IP,
> but the bridge itself should see traffic coming in, filter it based on
> the rules, and then pass it on if okay or drop it if not okay ...  The
> outside world wouldn't know that there was an extra hardware appliance
> hop to their destination ...
>
> The assumption in using 3 NICs is that FreeBSD will run an IPLess
> stateful packet filter on the 2 NIC bridge, the 3rd NIC's traffic will
> eventually travel across that bridge as shown in the diagram I drew ...
> This has to be possible, but there must be some trick to it that I
> haven't grasped ... Not many setups or HOWTOs explain this sort of setup
> or idea ...
>
> Maybe I should have asked one question at a time?  I just thought this
> was all encompassing ... the hardware setup supporting the PF machine ...
>

The assumption is correct.
don't forget to add a rule pass for the 3rd interface like:

pass quick from self keep state
or
pass quick from $3rd_nic keep state


> David Pierron
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"


More information about the freebsd-pf mailing list