Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: HELP - FreeBSD Bridge / IPFilter Firewall Setup

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    356

    HELP - FreeBSD Bridge / IPFilter Firewall Setup

    Hi Everyone,

    I decided to take that leap into the great unknown. I just installed a fresh installation of FreeBSD 4.9 Stable. I want the machine to do transparent packet filtering by acting as a bridge with IPFilter enabled. I have two network cards installed. Both are enabled and seem to be fine. Niether have an IP Address assigned to them, I want the machine to be an invisible bridge on the network. NO NAT. I want it to be transparent.

    I found a nice tutorial located at:

    http://ezine.daemonnews.org/200211/ipfilter-bridge.html

    I followed the instructions. They seemed pretty simple and basic, even for someone new to FreeBSD like me. Here is a break down of what I did to try and accomplish my goal.

    Added the following to my kernel:

    options BRIDGE
    options IPFILTER

    (rebuilt kernel - rebooted)

    Added the following lines to /etc/sysctl.conf

    sysctl net.link.ether.bridge_cfg=dc0:0,sis0:0
    sysctl net.link.ether.bridge_ipf=1
    sysctl net.link.ether.bridge=1

    (Note: dc0 and sis0 are my 2 network cards)

    I then enable IPFilter in /etc/rc.conf by adding the line:

    ipfilter_enable="YES"

    In my /etc/ipf.rules file I only have the two lines:

    pass in all
    pass out all

    Which should allow all traffic in and out. My network setup is as follows:

    Internet Conection -> dc0 (first network card - which should be sending traffic to sis0) sis0 (second network card) -> switch port NOT uplink port. All computers are then plugged into the ports on the switch. So theoretically all outbound/inbound traffic should be going through the BSD box.

    If you've read this far (THANKS!), here are my questions:

    1) I am wondering if my network setup is correct. Should I be using a cross over cable to connect sis0 to the uplink port instead of having it plugged into a regular port on the switch? That would seem to make more sense, but the tutorial did not mention that. I am not using a cross over cable, and if I set the switch to uplink the uplink port and network card lights do not go on. Could this be my problem? Unfortunately I do not have a cross over cable to test this out, which is why I am asking.

    2) I am new to FreeBSD. Could anyone recommend some logs I could check out, or explain how to enable certain logs that may give me clues as to why my setup isn't working?

    3) Anyone ever attempt this before and could give me some suggestions? Any advice is appreciated. Alternative setup suggestions, etc... I am a newbie to FreeBSD and have been wanting to learn this stuff for years.

    Thanks!
    An Ounce of Prevention is Worth a Pound of Cure...
     

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    If your link light is not active, its wrong. You will probably need to do the following:
    Cable modem(DSL whatever)----Crossover---->NIC(dc0)
    NIC(sis0)----Crossover-------> WAN port on switch

    If you have an Uplink port this just means the port is already 'crossed over' and you can substitute a standard patch cable there.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    I'm learning FreeBSD also and there are a few more different places that might help if you are interested.

    Google BSD Search

    FreeBSD How Tos

    Comprehensive Guide to FreeBSD
    This link has a lot of information

    I hope that this helps a little.
    JP



  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Thanks for the suggestions... I'll mess with the cross over idea. Excellent links, I bookmarked them. Anyone else have any experience with this?
    An Ounce of Prevention is Worth a Pound of Cure...
     

  5. #5
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Anyone know how to tell if a network card is in promiscuous mode? I know that the bridge will not work if the cards are not in promiscuous mode.

    EDIT: Figured it out. "ifconfig dc0 promisc" - enables it. To disable "ifconfig dc0 -promisc". Cool. Damn bridge still not working though.
    An Ounce of Prevention is Worth a Pound of Cure...
     

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Ehm. Take out the fbsd box and connect everything like normal. Just to test your setup and to make sure it's your fbsd configuration and not something else. If everything works then you can hookup the fbsd box. You should atleast keep an eye on /var/log/messages.

    You can also use tcpdump -i dc0 and tcpdump -i sis0 to make sure packets are actually going through.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    144
    I know it's not freebsd related, but i do know that openbsd makes bridges and filtering bridges very simple.. if you're not tied down it might be worth looking into... hell, for all i know the same techniques might work..
    http://www.openbsd.org/faq/faq6.html#Bridge

    the main difference i see would be that this assigns an ip to one of the interfaces, so if you setup both NIC's the same without ip's.. and followed from there everything would be the same. You might have to alter the pf rules to make up for the lack of any ip's, but that's trivial.. not help with the freebsd solution, but hope this is viable.

    [EDIT]
    also found this after posting..
    http://cfm.gs.washington.edu/securit...all/pf-bridge/

    hope it helps.
    [/EDIT]

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    The actual setup for the Bridge in OpenBSD seems to be quite different than FreeBSD. The OpenBSD articles I read mention files that are not on my FreeBSD system, and also seem to have a lot more configuration available for a bridge setup. Thanks for the suggestion, but I would really like to get this to work on FreeBSD.

    Here is an update for you guys.

    Internet definitely works. I'm switching the plug from this computer to the dc0 card as I try new things. So the internet connection is definitely up and good.

    I did a TCPDump for both cards, and I am getting interesting results. Traffic is getting to my sis0 card from the computers trying to access the internet, however that traffic doesn't seem to be getting passed on to the dc0 card (assuming if the bridge worked both tcp dumps would be showing the same lines). For now I disabled IPF all together until I at least get the bridge to work. I'm really confused as to why this isn't working.

    I also got a cross over cable and plugged sis0 into the Uplink port instead of a regular port. The lights lit up so I know the connection was good. But still having the same exact problem. Strange thing is that the TCPDump is showing pretty much exactly what it showed when the card was just plugged into a regular port. So I'm not sure if that made much of a difference.

    The thing I'm wondering about is the TCPDump info. If someone could confirm that in the case of a bridge both TCPDUmps for each card would show the same lines, then I at least know that the problem lyes in the bridge configuration.

    Any ideas? Suggestions? Again, thanks for your help.

    Note: Once this finally works I plan on writing up a step by step of how I got it working, and posting here for everyone.
    An Ounce of Prevention is Worth a Pound of Cure...
     

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    144
    does freebsd require ip forwarding on a gateway type machine? i don't see a mention of you setting up ip forwarding. not up on my freebsd so i couldn't tell you where to look but in linux you had to cat 1 into an ip_forwarding file under /proc... if i recall correctly.

  10. #10
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    I believe if the FreeBSD Box is setup as a bridge, there does not have to be any IP forwarding set. Niether of the cards have IP addresses assigned, and if the bridge is setup correctly (which I think is my problem) the traffic should just travel right through the 2 cards to its destination. The traffic should travel as if the bridge isn't even there. The only filtering or forwarding I plan to do is with IPFilter. And that is currently disabled so there should be nothing interrupting the flow of traffic.

    And I thought this would be a quick and easy setup! haha...

    Does anyone know if maybe FreeBSD 4.9 Stable requires a patch to act as a bridge? The tutorial only states that 4.6 needs it.
    An Ounce of Prevention is Worth a Pound of Cure...
     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •