transparent bridge ~ firewall
olivier2553 at gmail.com
Wed May 21 03:26:25 UTC 2014
> > > Is it possible to configure fbsd so that it passes traffic thru two
> > > nics "transparently", (with a third nic installed as the management IP)?
> > >
> > > So that firewall rules can be applied between those two transparent
> > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> > > or re-direct.
> I'm not clear on what 're-direct' means in the context of a transparent
> bridge, if it's not doing any routing? But pressing on ..
I don't know either, would have to ask the OP :)
> > > I purchased a device which uses debian to do this. I would like to
> > > see if I can duplicate the functions on FreeBSD, my OS of choice.
> > I used to do that few years ago, using ip-firewall at that time
> > instead of ipfw, I can't remember the reason why, I think it was the
> > unavailability of layer 2 in IPFW at that time.
> If that was the reason, it must have been prior to Jan '94 when I built
> a transparent filtering bridge box for a local community technology
> centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
> satellite gateway/NAT/proxy box - largely outside our control - and our
> internal gateway / router for about a dozen machines, incl some wifi.
I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2.
> All layer 2 except for the layer 3 management functions on the inside
> interface; ie it only needed 2 NICs, but you can use 3 if you want :)
> > I have switched to zeroshell since because I needed captive portal too
> > and neither monowall nor pf sense did offer captive portal on bridged
> > intefaces when I did the change.
> Not cluey on captive portals, but we had a fairly extensive firewall
> with dummynet shaping, plus local webserver/samba/etc, setup by a
> colleague, also running from the bridge box .. all the client boxes just
> ran from a switch.
Captive portal is the authentication for outgoing users: you open any
web page and get redirected to a login page, then the outgoing
firewall is open for your IP.
> > I am pretty sure that monowall and pfsense do offer bridged interfaces.
> As does ipfw. I'd have to do some serious digging through backups to
> provide configuration detail, and that was with the older bridge.ko but
> will hunt if it might be useful. I recall at the time finding plenty on
> the web and in the handbook, along with, of course, ipfw(8) and some
> help from folks on -net, so it wasn't so difficult to get going well.
I am mentioning monowall and pfsense because they are build on FreeBSd
and offer a simple and fully manageable configuration tool: for
someone not really sure how to bridge interfaces, using a tool with a
configuration interface may help.
More information about the freebsd-questions