transparent bridge ~ firewall
smithi at nimnet.asn.au
Tue May 20 13:43:50 UTC 2014
In freebsd-questions Digest, Vol 520, Issue 2, Message: 19
On Tue, 20 May 2014 11:59:27 +0700 Olivier Nicole <olivier.nicole at cs.ait.ac.th> wrote:
Hi there Olivier,
> > Is it possible to configure fbsd so that it passes traffic thru two
> > nics "transparently", (with a third nic installed as the management IP)?
> > So that firewall rules can be applied between those two transparent
> > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> > or re-direct.
I'm not clear on what 're-direct' means in the context of a transparent
bridge, if it's not doing any routing? But pressing on ..
> > I purchased a device which uses debian to do this. I would like to
> > see if I can duplicate the functions on FreeBSD, my OS of choice.
> I used to do that few years ago, using ip-firewall at that time
> instead of ipfw, I can't remember the reason why, I think it was the
> unavailability of layer 2 in IPFW at that time.
If that was the reason, it must have been prior to Jan '94 when I built
a transparent filtering bridge box for a local community technology
centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
satellite gateway/NAT/proxy box - largely outside our control - and our
internal gateway / router for about a dozen machines, incl some wifi.
All layer 2 except for the layer 3 management functions on the inside
interface; ie it only needed 2 NICs, but you can use 3 if you want :)
> I have switched to zeroshell since because I needed captive portal too
> and neither monowall nor pf sense did offer captive portal on bridged
> intefaces when I did the change.
Not cluey on captive portals, but we had a fairly extensive firewall
with dummynet shaping, plus local webserver/samba/etc, setup by a
colleague, also running from the bridge box .. all the client boxes just
ran from a switch.
> I am pretty sure that monowall and pfsense do offer bridged interfaces.
As does ipfw. I'd have to do some serious digging through backups to
provide configuration detail, and that was with the older bridge.ko but
will hunt if it might be useful. I recall at the time finding plenty on
the web and in the handbook, along with, of course, ipfw(8) and some
help from folks on -net, so it wasn't so difficult to get going well.
Of course m0n0wall or pfsense may do everything needed, I wouldn't know.
> Best regards,
More information about the freebsd-questions