bridge ipfw also protect set

Ian Smith smithi at
Fri Dec 19 14:36:52 UTC 2008

On Fri, 19 Dec 2008 10:19:31 +0700 (ICT) Olivier Nicole <on at> wrote:
   [khoogc at wrote:]
 > > I want to give internet connectivity to a pc behind my Freebsd, which is 
 > > connected to an aDSL. I know I can add another card to my set and use 
 > > bridge+IPFW so that the behind pc is firewalled. But will this setup
 > > also ensure that my Freebsd set is firewalled? Could now figure it out
 > > reading the book and article.
 > You don't want to use bridge!

Certainly true in this instance.

 > 1) as far as I remember, ipfw works poorly with bridge: it would
 >    filter only based on layer 2, not based on IP (need to confirm).

Not true.  I've managed a filtering bridge (also providing web and samba 
servers) with ipfw+dummynet for 5+ years since FreeBSD 4.8, and it works 
very well indeed.  You can filter at layer 2 or 3, bridged and unbridged 
traffic, though you can only filter bridged traffic that's coming 'in'.

 > 2) bridge means that packets traverse the FreeBSD machine without any
 >    modification (think of the bridge like a 2 ports Ethernet
 >    switch). Unless you use and ADSL modem (but then you can use a
 >    switch and connect your PC and your FreeBSD box each on one port of
 >    the switch) it will not work.
 >    If your FreeBSD machine is in charge of making the ADSL connection,
 >    it will not work.

Not as a bridge, no.

 > 3) as suggested in the prvious reply, you need some NAT and some
 >    routing in your FreeBSD machine. Routing is not bridge.

The 'simple' ruleset in rc.firewall provides a good basic setup to 
protect a small network as described, including the router of course.

You'll want to add a couple of rules allowing some ICMP traffic, remove 
rules for inbound DNS and web if you're not running those servers, etc.

Read ipfw(8) about 10 times, largely ignore the current ipfw section in 
the handbook, and prosper ..

cheers, Ian

More information about the freebsd-questions mailing list