transparent bridge ~ firewall

Olivier Nicole olivier2553 at gmail.com
Wed May 21 03:26:25 UTC 2014


Ian,

>  > > Is it possible to configure fbsd so that it passes traffic thru two
>  > > nics "transparently", (with a third nic installed as the management IP)?
>  > >
>  > > So that firewall rules can be applied between those two transparent
>  > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
>  > > or re-direct.
> I'm not clear on what 're-direct' means in the context of a transparent
> bridge, if it's not doing any routing?  But pressing on ..

I don't know either, would have to ask the OP :)

>  > > I purchased a device which uses debian to do this. I would like to
>  > > see if I can duplicate the functions on FreeBSD, my OS of choice.
>  >
>  > I used to do that few years ago, using ip-firewall at that time
>  > instead of ipfw, I can't remember the reason why, I think it was the
>  > unavailability of layer 2 in IPFW at that time.
>
> If that was the reason, it must have been prior to Jan '94 when I built
> a transparent filtering bridge box for a local community technology
> centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
> satellite gateway/NAT/proxy box - largely outside our control - and our
> internal gateway / router for about a dozen machines, incl some wifi.

I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2.

> All layer 2 except for the layer 3 management functions on the inside
> interface; ie it only needed 2 NICs, but you can use 3 if you want :)
>
>  > I have switched to zeroshell since because I needed captive portal too
>  > and neither monowall nor pf sense did offer captive portal on bridged
>  > intefaces when I did the change.
>
> Not cluey on captive portals, but we had a fairly extensive firewall
> with dummynet shaping, plus local webserver/samba/etc, setup by a
> colleague, also running from the bridge box .. all the client boxes just
> ran from a switch.

Captive portal is the authentication for outgoing users: you open any
web page and get redirected to a login page, then the outgoing
firewall is open for your IP.

>  > I am pretty sure that monowall and pfsense do offer bridged interfaces.
> As does ipfw.  I'd have to do some serious digging through backups to
> provide configuration detail, and that was with the older bridge.ko but
> will hunt if it might be useful.  I recall at the time finding plenty on
> the web and in the handbook, along with, of course, ipfw(8) and some
> help from folks on -net, so it wasn't so difficult to get going well.
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/

I am mentioning monowall and pfsense because they are build on FreeBSd
and offer a simple and fully manageable configuration tool: for
someone not really sure how to bridge interfaces, using a tool with a
configuration interface may help.

Bests,

Olivier


More information about the freebsd-questions mailing list