transparent bridge ~ firewall

Ian Smith smithi at nimnet.asn.au
Wed May 21 15:56:09 UTC 2014 

On Wed, 21 May 2014 10:26:24 +0700, Olivier Nicole wrote:

 > >  > > So that firewall rules can be applied between those two transparent
 > >  > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
 > >  > > or re-direct.
 > > I'm not clear on what 're-direct' means in the context of a transparent
 > > bridge, if it's not doing any routing?  But pressing on ..
 > 
 > I don't know either, would have to ask the OP :)

I kinda thought I was - but should have preceded that with [Jim] :)

 > > satellite gateway/NAT/proxy box - largely outside our control - and our
 > > internal gateway / router for about a dozen machines, incl some wifi.
 > 
 > I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2.

Checking archives, I see that (the old) bridge.ko still had some issues 
back then, needed compiling into kernel and some arp magic.  Anyway this 
is way too much nostalgia for many, I expect ..

 > >  > I have switched to zeroshell since because I needed captive portal too
 > >  > and neither monowall nor pf sense did offer captive portal on bridged
 > >  > intefaces when I did the change.

Just had another look at m0n0 again after many years, still looks great 
for small boxes like PCengines, Soekris and such, and considered pfsense 
to replace a Linux IPCop router more recently, but I'm about done being 
a volunteer sysadmin these days, and never came across zeroshell.

 > > Not cluey on captive portals, but we had a fairly extensive firewall
 > > with dummynet shaping, plus local webserver/samba/etc, setup by a
 > > colleague, also running from the bridge box .. all the client boxes just
 > > ran from a switch.
 > 
 > Captive portal is the authentication for outgoing users: you open any
 > web page and get redirected to a login page, then the outgoing
 > firewall is open for your IP.

Ah, right.  Apart from bandwidth shaping and some port restriction those 
cats went largely unherded; they couln't get into too much mischief on a 
256kbps sat down / 128kbps ISDN up link, in a small rural town otherwise 
limited to 56kbps dialup - though in retrospect it would've been useful.

 > >  > I am pretty sure that monowall and pfsense do offer bridged interfaces.
 > > As does ipfw.  I'd have to do some serious digging through backups to

 > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/
 > 
 > I am mentioning monowall and pfsense because they are build on FreeBSd
 > and offer a simple and fully manageable configuration tool: for
 > someone not really sure how to bridge interfaces, using a tool with a
 > configuration interface may help.

Indeed, agreed.  Not hard to install and evaluate either fairly quickly.

cheers, Ian

More information about the freebsd-questions mailing list