bridge ipfw also protect set
smithi at nimnet.asn.au
Fri Dec 19 14:36:52 UTC 2008
On Fri, 19 Dec 2008 10:19:31 +0700 (ICT) Olivier Nicole <on at cs.ait.ac.th> wrote:
[khoogc at singnet.com.sg wrote:]
> > I want to give internet connectivity to a pc behind my Freebsd, which is
> > connected to an aDSL. I know I can add another card to my set and use
> > bridge+IPFW so that the behind pc is firewalled. But will this setup
> > also ensure that my Freebsd set is firewalled? Could now figure it out
> > reading the book and article.
> You don't want to use bridge!
Certainly true in this instance.
> 1) as far as I remember, ipfw works poorly with bridge: it would
> filter only based on layer 2, not based on IP (need to confirm).
Not true. I've managed a filtering bridge (also providing web and samba
servers) with ipfw+dummynet for 5+ years since FreeBSD 4.8, and it works
very well indeed. You can filter at layer 2 or 3, bridged and unbridged
traffic, though you can only filter bridged traffic that's coming 'in'.
> 2) bridge means that packets traverse the FreeBSD machine without any
> modification (think of the bridge like a 2 ports Ethernet
> switch). Unless you use and ADSL modem (but then you can use a
> switch and connect your PC and your FreeBSD box each on one port of
> the switch) it will not work.
> If your FreeBSD machine is in charge of making the ADSL connection,
> it will not work.
Not as a bridge, no.
> 3) as suggested in the prvious reply, you need some NAT and some
> routing in your FreeBSD machine. Routing is not bridge.
The 'simple' ruleset in rc.firewall provides a good basic setup to
protect a small network as described, including the router of course.
You'll want to add a couple of rules allowing some ICMP traffic, remove
rules for inbound DNS and web if you're not running those servers, etc.
Read ipfw(8) about 10 times, largely ignore the current ipfw section in
the handbook, and prosper ..
More information about the freebsd-questions