New FreeBSD 4.9 Bridge / IPFW Setup
Results 1 to 2 of 2

Thread: New FreeBSD 4.9 Bridge / IPFW Setup

  1. #1
    Senior Member
    Join Date
    Aug 2001

    New FreeBSD 4.9 Bridge / IPFW Setup

    Note To Moderator's: I am creating a new topic instead of adding to the previous one because I am trying a different approach. I am trying to use ipfw now instead of ipfilter. I cannot edit the original thread because of the time limit placed on editing. I feel it would be counter productive and confusing to post all the new info under my original post which contains outdated info. Thanks for understanding.


    Section 1 - What I'm attempting and the problem
    Section 2 - Network Setup
    Section 3 - Data Gathering
    Section 4 - Specific Questions
    Section 5 - Resources Checked
    Section 6 - Files Edited

    Overview: |

    OK. Back to the topic at hand! I have been logging everything I do while attempting to setup this transparent FreeBSD bridge. I have also been creating a tutorial as I go along that I plan on posting if I can accomplish this task and finish this project.

    I included the resources used, suggestions tried, and everything I have done step by step. This is becoming quite a challenge, and I am determined to get it working. Maybe I can suck a few of you into my determination. Geeks unite! hahaha

    Anyway, here it is. All experiences, ideas, and suggestions welcome!

    Section 1 - What I'm attempting and the problem |

    I want to turn a FreeBSD 4.9 Stable computer into a transparent bridge AND firewall using two NIC cards. Neither card assigned an IP Addresses. I want this to be an invisible bridge on the network that cannot be seen from the outside OR the inside. I am not setting this up to use NAT or be a Gateway. I want this to be a transparent bridge going from dc0 (nic card 1) directly to and through sis0 (nic card 2) with IPFW filtering in between.

    It is not working.

    Section 2 - Network Setup |

    Wire goes from Gateway Router with DHCP Server
    to NIC Card 1 (dc0) in FreeBSD Bridge / Firewall Machine
    data should pass to NIC Card 2 (sis0) in FreeBSD Bridge / Firewall machine which is plugged into a Switch Uplink Port (using cross over cable).
    Computers I want behind bridge are plugged into the switch

    All cards and switch ports are lit.

    Section 3 - Data Gathering |

    TCPDump -i dc0 reports random requests from the dhcp server / router / internet.
    TCPDump -i sis0 reports computers on switch broadcasting asking for ip from dhcp server

    The TCPDumps do not seem to show any similar traffic from one nic to the other. Just incoming traffic from what it is plugged into.

    Internet is definitely up and running. I tested it by taking the wire that was plugged in dc0 (wire from the dhcp server / router / gateway) and plugging it directly into the computer that was previously plugged into the switch (the one im trying to get connected through the FreeBSD Box). The computer grabs an IP Address no problem and has internet access.

    To me the problem seems to be that the Bridge is not working correctly. Both cards seem to be receiving traffic from their end, but not passing it on to the other NIC. Maybe they can't comunicate with each other? Both are up and running in promiscuous mode.

    Added log_in_vain="YES" to rc.conf. Should log everything going through ipfw.
    Used tail -f /var/log/messages
    All I saw were tty logins (from me switching terminals) and some DNS attempts to (myself) from 127.0.01 (myself). I thought that may be a little strange. Does anyone know if the lo0 (loopback interface) needs to be set to anything?

    Section 4 - Specific Questions |

    1) Could FreeBSD 4.9 Stable require a patch to act as a bridge? Previous versions did. But from what I understand 4.9 Stable doesn't.

    2) Are there any files I missed that may need to be edited in order to enable the bridge?

    3) The man page for bridge says: "Bridging requires interfaces to be put in promiscuous mode, and transmit packets with ethernet source addresses." I know my cards are in promiscuos mode, but is there anyway to check if they can transmit packets with ethernet source addresses?

    4) The man page for bridge also says: "bridging is not compatible with interfaces which use hardware loopback". How can I tell if my interfaces are using hardware loopback? Does this have to do with the lo0 interface that is currently set to

    4a.) Does anyone know if the lo0 (loopback interface) needs to be set to anything specific?

    5) Since in rc.conf I have firewall_type="open" it should not matter if the firewall is running or not right? It could make sense that the firewall is blocking dc0 and sis0 from each, but it shouldn't be. Anyway I can see if dco and sis0 can at least pass data to each other? Any kind of command? Keep in mind niether interfaces have an ip address.

    6) How can I check that my firewall is truely running?

    6a.) Anyway to check if my bridge is actually running?

    7) For logging info I looked at: /var/log/messages. Are there any other logs worth taking a look at?

    8) In the files I include below, does anyone see anything that may cause a problem, or cancel each other out? For example, could my rc.conf settings be overriding the Kernel settings or something like that?

    Section 5 - Resources Checked: |

    Exactly what I am attempting: - Followed this tutorial to the T. Not sure whay it still doesn't work. Anyone notice something I may have missed? - Very similar to the above tutorial. More technical detiail supplied. Again, didn't see anything I missed. - Man page for Bridge

    Some what helpful resources: - Enables the bridge in Kernel same way, but uses IPFilter instead of ipfw

    Other resources but unfortunately no info: - OpenBSD Instructions, completely different setup and files than FreeBSD

    Section 6 - Files Edited |
    Edits To Kernel:

    # To enable kernel bridge / firewall support
    # /usr/src/sys/i386/conf/GENERIC

    # Enable kernel support for bridging
    options BRIDGE
    # Use the bridge as a firewall
    options IPFIREWALL
    # Enable logging functions of the firewall
    # Allow non-IP packets (such as ARP) to flow through the bridge

    Edits To sysctl.conf |

    # Enabling the Bridge
    # /etc/sysctl.conf

    # Enable the bridge at runtime
    # Enable bridging on the specified interfaces,sis0:0
    # Enable bridged packets to be filtered by ipfw

    Edits to rc.conf |

    # Set network cards for bridging
    # /etc/rc.conf

    # Set both interfaces to promisc mode and put up
    # No ip addresses are assigned
    ifconfig_dc0="PROMISC UP"
    ifconfig_sis0="PROMISC UP"

    # Enable Firewall
    # Set firewall to open
    # Do not show rules loading
    # Enable firewall logging

    # Should log everything going through ipfw
    An Ounce of Prevention is Worth a Pound of Cure...

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    I did notice this line:
    Unfortunately, not all network interface cards as of FreeBSD 4.0 support bridging. Read bridge(4) for details on the cards that are supported.
    Maybe one (or both) of your cards may not be supported?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts