diff --git a/en_US.ISO8859-1/articles/filtering-bridges/article.sgml b/en_US.ISO8859-1/articles/filtering-bridges/article.sgml
index af4cf51e9a..f864e45e1d 100644
--- a/en_US.ISO8859-1/articles/filtering-bridges/article.sgml
+++ b/en_US.ISO8859-1/articles/filtering-bridges/article.sgml
@@ -1,356 +1,385 @@
%man;
]>
Filtering Bridges
- Nick
- Sayer
-
+ Alex
+ Dupre
- nsayer@FreeBSD.org
+ sysadmin@alexdupre.com
-
+
$FreeBSD$
- For those of you who do not know, DSL differs from more traditional
- connectivity methods in that the connectivity spigot that comes
- out of the wall has no possibility for packet filtering. If you get
- a T1 line or some such it will come with a router that can generally
- include a packet filter. If you get ISDN or a dialup link, you also
- either have a software routing component (a PPP daemon, specifically)
- that can do some filtering or can be combined with a filter on the
- machine running the link. But with DSL you only get a little white
- box with some Blinkenlights on it and an Ethernet port that takes
- your traffic back and forth from the Internet and nothing else (to
- some extent the same can be said of other mass-market high speed
- connectivity methods, like cable modems or high speed wireless links
- as well. The same technique I plan to describe works just as well
- for them, or for any other technology that provides an Ethernet
- port with no filtering).
+ Often it is useful to divide one physical network (like an
+ Ethernet) into two separate segments without having to create subnets,
+ and use a router to link them together. The device that connects the
+ two networks in this way is called a bridge. A FreeBSD system with
+ two network interfaces is enough in order to act as a bridge.
+
+ A bridge works by scanning the addresses of MAC
+ level (Ethernet addresses) of the devices connected to each of its
+ network interfaces and then forwarding the traffic between the two
+ networks only if the source and the destination are on different
+ segments. Under many points of view a brigde is similar to an Ethernet
+ switch with only two ports.Why use a filtering bridge?
- Bridging is not the only conceivable option. It is possible to
- set up a two Ethernet machine as a router instead of a bridge.
- Where it is possible to do so, it is actually a better idea.
- Bridges run their interfaces in promiscuous mode, meaning they
- must process every packet presented to them. The problem is
- that routers can only route traffic between different subnets.
- Also, subnets can only be made by by cutting an existing space in
- half or defining a new space that is typically unroutable (see
- RFC 1918).
- This wastes half of the useful addresses (or at least puts
- them on the wrong side of the router—the thing that is
- doing the packet filtering that makes the inside network safe).
- Using a bridge costs some CPU cycles, but makes all of the
- problems of adding a 2nd router go away.
+ More and more frequently, thanks to the lowering costs of broad band
+ Internet connections (xDSL) and also because of the reduction of
+ available IPv4 addresses, many companies are connected to the Internet
+ 24 hours on 24 and with few (sometimes not even a power of 2) IP
+ addresses. In these situations it is often desirable to have a firewall
+ that filters incoming and outgoing traffic from and towards Internet,
+ but a packet filtering solution based on router may not be applicable,
+ either due to subnetting issues, the router is owned by the connectivity
+ supplier (ISP), or because it doesn't support such
+ functionalities. In these scenarios the use of a filtering bridge is
+ highly advised.
+
+ A bridge-based firewall can be configured and inserted between the
+ xDSL router and your Ethernet hub/switch without any IP numbering
+ issues.
-
- Configuring a Kernel
-
+
+ How to Install
+
+ Adding bridge functionalities to a FreeBSD system is not difficult.
+ Since 4.5 release it is possible to load such functionalities as modules
+ instead of having to rebuild the kernel, simplifying the procedure a
+ great deal. In the following subsections I will explain both
+ installation ways.
+
- After configuring and installing a kernel as shown here, you
- should carry out the other
- final preperation
- tasks before booting into your new kernel.
+ Do not follow both instructions: a procedure
+ excludes the other one. Select the best choice
+ according to your needs and abilities.
- Adding bridging to a FreeBSD machine is not hard to do. It means
- having 2 (or more, but we will just use 2 here) Ethernet cards and adding
- a couple of lines to the kernel configuration. Since May of 2000,
- RELENG_4 and -current have had bridging support for all Ethernet
- interfaces. This does not mean that any Ethernet interface will work.
- For them to work, they have to support a working promiscuous mode for
- both reception and transmission—that is, they have to be able to
- transmit Ethernet packets with any source address, not just their own.
- In order to get good throughput, the cards should also be PCI bus
- mastering cards. The best choices still are the Intel EtherExpress Pro
- 100 cards, with 3com 3c9xx cards being second.
-
- So you will want to add the following to your kernel configuration
- file:
-
- device fxp (or whatever is appropriate for the cards you are using)
-options BRIDGE
+ Before going on, be sure to have at least two Ethernet cards that
+ support the promiscuous mode for both reception and transmission, since
+ they must be able to send Ethernet packets with any address, not just
+ their own. Moreover, to have a good throughput, the cards should be PCI
+ bus mastering cards. The best choices are still the Intel EtherExpress
+ Pro, followed by the 3Com 3c9xx series. To simplify the firewall
+ configuration it may be useful to have two cards of different
+ manufacturers (using different drivers) in order to distinguish clearly
+ which interface is connected to the router and which to the inner
+ network.
+
+
+ Kernel Configuration
+
+ So you have decided to use the older but well tested installation
+ method. To begin, you have to add the following rows to your kernel
+ configuration file:
+
+ options BRIDGE
options IPFIREWALL
options IPFIREWALL_VERBOSE
- Note that recent versions of FreeBSD support dynamically loading the
- IP Firewall code into the kernel. You can not do this, however, with
- bridging, as the bridge code itself needs to interact with IPFIREWALL
- in a special way.
-
- It is also a good idea at this point to see if Luigi has updated
- versions of the bridge code available that are more recent than what is
- in the distribution. As an example, 3.3-RELEASE comes with 981214, but
- as of this writing, the most up-to-date bridge code is 990810. You can
- fetch the latest version from
- http://www.iet.unipi.it/~luigi/. You will want to fetch bridge.c and bridge.h and drop them into sys/net/.
-
- For instructions on how to build and install a new kernel, refer to
- the
- Building and Installing a Custom Kernel section of the handbook
+ The first line is to compile the bridge support, the second one is
+ the firewall and the third one is the logging functions of the
+ firewall.
+
+ Now it is necessary to build and install the new kernel. You may
+ find detailed instructions in the Building
+ and Installing a Custom Kernel section of the FreeBSD
+ Handbook.
+
+
+
+ Modules Loading
+
+ If you have choosen to use the new and simpler installation
+ method, the only thing to do now is add the following row to
+ /boot/loader.conf:
+
+ bridge_load="YES"
+
+ In this way, during the system startup, the
+ bridge.ko module will be loaded together with the
+ kernel. It is not required to add a similar row for the
+ ipfw.ko module, since it will be loaded
+ automatically after the execution of the steps in the following
+ section.
+ Final Preperation
- Before you boot the new kernel, you must make some preparations in
- rc.boot and rc.firewall. The
- default rule for the firewall is to drop all packets on the floor. You
- will want to override this by setting up the open firewall in
- /etc/rc.conf. Put these lines in
- /etc/rc.conf to achieve this:
-
-firewall_enable="YES"
-firewall_type="open"
-
- There is one more thing that is necessary. When running IP over
- Ethernet, there are actually two Ethernet protocols in use. One
- is IP, the other is ARP. ARP is used when a machine must figure out
- what Ethernet address corresponds to a given IP address. ARP is not
- a part of the IP layer, since it only applies to IP when run over
- Ethernet. The standard ipfirewall rule for the open firewall is
-
- pass ip from any to any
-
- but what about ARP? If ARP is not passed, no IP traffic can flow at
- all. But IPFIREWALL has no provisions for dealing with non-IP
- protocols, and that includes ARP. Fortunately, a hackish extension was
- made to the ipfirewall code to assist filtering bridges. If you set up
- a special rule for UDP packets from IP address
- 0.0.0.0, the UDP port number will be used
- to match the Ethernet protocol number for bridged packets. In this way
- your bridge can be configured to pass or reject non IP protocols. So add
- this line just below the two lines near the top of
- /etc/rc.firewall that deal with
- lo0 (the ones that say that you should almost
- never change those two rules).
-
- ${fwcmd} add allow udp from 0.0.0.0 2054 to 0.0.0.0
-
- This rule makes almost no sense at all from a normal perspective on
- IPFIREWALL, but the bridge code will use it to pass ARP packets without
- restriction (which you almost certainly want to do).
-
- Now you should be able to reboot your machine and have it act no
- differently than it did before. There will be some new boot messages
- about bridging, but the bridging will not be enabled. If there are any
- problems, you should try and sort them out at this point before
- proceeding.
+ Before rebooting in order to load the new kernel or the required
+ modules (according to the previously choosen installation method), you
+ have to make some changes to the /etc/rc.conf
+ configuration file. The default rule of the firewall is to reject all IP
+ packets. Initially we'll set up an 'open' firewall, in order to verify
+ its operation without any issue related to packet filtering (in case you
+ are going to execute this procedure remotely, such configuration will
+ avoid you to remain isolated from the network). Put these lines in
+ /etc/rc.conf:
+
+ firewall_enable="YES"
+firewall_type="open"
+firewall_quiet="YES"
+firewall_logging="YES"
+
+ The first row will enable the firewall (and will load the module
+ ipfw.ko if it is not compiled in the kernel), the
+ second one to set up it in 'open' mode (as explained in
+ /etc/rc.firewall), the third one to not show rules
+ loading and the fourth one to enable logging support.
+
+ About the configuration of the network interfaces, the most used way
+ is to assign an IP to only one of the network cards, but the bridge will
+ work equally even if both interfaces or none has a configured IP. In the
+ last case (IP-less) the bridge machine will be still more hidden, as
+ inaccessible from the network: to configure it, you have to login from
+ console or through a third network interface separated from the bridge.
+ Sometimes, during the system startup, some programs require network
+ access, say for domain resolution: in this case it is necessary to
+ assign an IP to the external interface (the one connected to Internet,
+ where DNS server resides), since the bridge will be
+ activated at the end of the startup procedure. It means that the
+ fxp0 interface (in our case) must be mentioned
+ in the ifconfig section of the /etc/rc.conf file,
+ while the xl0 is not. Assigning an IP to both
+ the network cards does not make much sense, unless, during the start
+ procedure, applications should access to services on both Ethernet
+ segments.
+
+ There is another important thing to know. When running IP over
+ Ethernet, there are actually two Ethernet protocols in use: one is IP,
+ the other is ARP. ARP does the
+ conversion of the IP address of a host into its Ethernet address
+ (MAC layer). In order to allow the communication
+ between two hosts separated by the bridge, it is necessary that the
+ bridge will forward ARP packets. Such protocol is not
+ included in the IP layer, since it exists only with IP over Ethernet.
+ The FreeBSD firewall filters exclusively on the IP layer and therefore
+ all non-IP packets (ARP included) will be forwarded
+ without being filtered, even if the firewall is configured to not permit
+ anything.
+
+ Now it's time to reboot the system and use it as before: there will
+ be some new messages about the bridge and the firewall, but the bridge
+ will not be activated and the firewall, being in 'open' mode, will not
+ avoid any operations.
+
+ If there are any problems, you should try and sort them out now
+ before proceeding.
- Enabling The Bridge
-
- Next, you should do this:
-
- &prompt.root; sysctl -w net.link.ether.bridge_ipfw=1
-&prompt.root; sysctl -w net.link.ether.bridge=1
-
- At this point, the bridge should be enabled, and because of the
- previous changes to /etc/rc.conf, the firewall
- should be wide open. At this point, you should be able to insert the
- machine between two sets of hosts and go back and forth without
- difficulty. If so, the next step is to add those two sysctl lines to
- either /etc/rc.local or add the net.link.[blah
- blah]=1 portions of the lines to /etc/sysctl.conf
- (which path you take depends on what version of FreeBSD you
- have).
-
- Now before we started all of this, you should have had a machine
- with two Ethernet interfaces, but with only one of them configured. That
- is, there should only be one ifconfig line
- /etc/rc.conf. With the bridge in place, that is
- still true. But there is a detail that deserves some thought. The
- bridge is not in place by default. That means that until the sysctls
- are run that turn the bridge on, rather late in the startup, it is still
- an ordinary machine with two interfaces, only one of which is configured
- by /etc/rc.conf. This becomes important for those
- portions of the startup that require network access, say for DNS
- resolution. Some care must be made in picking which interface is going
- to be the configured one. In most cases, you are best to pick the
- outside one (that is, the interface connected to the Internet). Let's
- presume for the sake of the examples to come, that
- fxp0 is the outside interface, and
- fxp1 is the inside one. That means that fxp0
- should be mentioned in /etc/rc.conf's ifconfig
- sections, but fxp1 should not be. The sysctl
- that turns the bridge on will make fxp1 start
- working automagically.
+ Enabling the Bridge
+
+ At this point, to enable the bridge, you have to execute the
+ following commands (having the shrewdness to replace the names of the
+ two network interfaces fxp0 and
+ xl0 with your own ones):
+
+ &prompt.root; sysctl net.link.ether.bridge_cfg=fxp0:0,xl0:0
+&prompt.root; sysctl net.link.ether.bridge_ipfw=1
+&prompt.root; sysctl net.link.ether.bridge=1
+
+ The first row specifies which interfaces should be activated by the
+ bridge, the second one will enable the firewall on the bridge and
+ finally the third one will enable the bridge.
+
+ At this point you should be able to insert the machine between two
+ sets of hosts without compromising any communication abilities between
+ them. If so, the next step is to add the
+ net.link.ether.[blah]=[blah]
+ portions of these rows to the /etc/sysctl.conf
+ file, in order to have them execute at startup.
-
+
Configuring The Firewall
-
- Now it is time to start adding ipfirewall rules to secure the inside
- network. There are some complications in doing this because not all of
- the ipfirewall functionality is available on bridged packets. Also,
- there is a difference between packets that are in the process of being
- bridged and packets that are being received by the local machine. In
- general, packets being bridged are only run through ipfirewall once, not
- twice as is usually the case. Bridged packets are filtered while they
- are being received, so rules that use out or xmit will never match.
- I usually use in via which is an older syntax, but one that makes
- sense as you read it. Another limitation is that you are restricted
- only to pass or drop for filtering bridged packets. Sophisticated
- things like divert or forward or reject are not available. Such
- options can still be used, but only on traffic to or from the bridge
- machine itself.
-
- New in FreeBSD 4.0 is the concept of stateful filtering. This is a
- big boost for UDP traffic, which typically is a request going out,
- followed shortly thereafter by a response with the exact same set of IP
- addresses and port numbers (but with source and dest reversed, of
- course). For firewalls that have no statekeeping, there is almost no
- way to deal with this sort of traffic short of setting up proxies. But
- a firewall that can remember an outgoing UDP packet and for the next
- few minutes allow a response, handling UDP services is trivial. The
- example to follow shows how to do this. The truly paranoid can also set
- up rules like this to handle TCP. This allows you to avoid some sorts
- of denial of service attacks or other nasty tricks, but it also
- typically makes your state table mushroom in size.
-
- Let's look at an example setup. Note first that at the top of
- /etc/rc.firewall we should already have taken care
- of the loopback interface and the special hack for ARP should still be
- in place. So we will not worry about them any further.
-
-us_ip=192.168.1.1
-oif=fxp0
-iif=fxp1
-
-# Things that we've kept state on before get to go through in a hurry.
-${ipfw} add check-state
-# Throw away RFC 1918 networks
-${ipfw} add deny log ip from 10.0.0.0/8 to any in via ${oif}
-${ipfw} add deny log ip from 172.16.0.0/12 to any in via ${oif}
-${ipfw} add deny log ip from 192.68.0.0/16 to any in via ${oif}
+ Now it is time to create your own file with custom firewall rules,
+ in order to secure the inside network. There will be some complication
+ in doing this because not all of the firewall functionalities are
+ available on bridged packets. Furthermore, there is a difference between
+ the packets that are in the process of being forwarded and packets that
+ are being received by the local machine. In general, incoming packets
+ are run through the firewall only once, not twice as is normally the
+ case; in fact they are filtered only upon receipt, so rules that use
+ 'out' or 'xmit' will never match. Personally, I use 'in via' which is an
+ older syntax, but one that has a sense when you read it. Another
+ limitation is that you are restricted to use only 'pass' or 'drop'
+ commands for packets filtered by a bridge. Sophisticated things like
+ 'divert', 'forward' or 'reject' are not available. Such options can
+ still be used, but only on traffic to or from the bridge machine itself
+ (if it has an IP address).
+
+ New in FreeBSD 4.0, is the concept of stateful filtering. This is a
+ big improvement for UDP traffic, which typically is a
+ request going out, followed shortly thereafter by a response with the
+ exact same set of IP addresses and port numbers (but with source and
+ destination reversed, of course). For firewalls that have no
+ statekeeping, there is almost no way to deal with this sort of traffic
+ as a single session. But with a firewall that can "remember" an outgoing
+ UDP packet and, for the next few minutes, allow a
+ response, handling UDP services is trivial. The
+ following example shows how to do it. It's possible to do the same thing
+ with TCP packets. This allows you to avoid some
+ denial of service attacks and other nasty tricks, but it also typically
+ makes your state table grow quickly in size.
+
+ Let's look at an example setup. Note first that at the top of
+ /etc/rc.firewall there are already standard rules
+ for the loopback interface lo0, so we shouldn't
+ have to care for them anymore. Custom rules should be put in a separate
+ file (say /etc/rc.firewall.local) and loaded at
+ system startup, by modifying the row of
+ /etc/rc.conf where we defined the 'open'
+ firewall:
+
+ firewall_type="/etc/rc.firewall.local"
-# Allow the bridge machine to say anything it wants (keep state if UDP)
-${ipfw} add pass udp from ${us_ip} to any keep-state
-${ipfw} add pass ip from ${us_ip} to any
+
+ You have to specify the full path, otherwise
+ it will not be loaded with the risk to remain isolated from the
+ network.
+
-# Allow the inside net to say anything it wants (keep state if UDP)
-${ipfw} add pass udp from any to any in via ${iif} keep-state
-${ipfw} add pass ip from any to any in via ${iif}
+ For our example imagine to have the fxp0
+ interface connected towards the outside (Internet) and the
+ xl0 towards the inside
+ (LAN). The bridge machine has the IP 1.2.3.4 (it is not possible that your
+ ISP can give you a class A address like this, but for
+ our example it is good).
-# Allow all manner of ICMP
-${ipfw} add pass icmp from any to any
+ # Things that we have kept state on before get to go through in a hurry
+add check-state
+
+# Throw away RFC 1918 networks
+add drop all from 10.0.0.0/8 to any in via fxp0
+add drop all from 172.16.0.0/12 to any in via fxp0
+add drop all from 192.68.0.0/16 to any in via fxp0
+
+# Allow the bridge machine to say anything it wants
+# (if the machine is IP-less don't include these rows)
+add pass tcp from 1.2.3.4 to any setup keep-state
+add pass udp from 1.2.3.4 to any keep-state
+add pass ip from 1.2.3.4 to any
+
+# Allow the inside hosts to say anything they want
+add pass tcp from any to any in via xl0 setup keep-state
+add pass udp from any to any in via xl0 keep-state
+add pass ip from any to any in via xl0
# TCP section
-# established TCP sessions are ok everywhere.
-${ipfw} add pass tcp from any to any established
-# Pass the "quarantine" range.
-${ipfw} add pass tcp from any to any 49152-65535 in via ${oif}
+# Allow SSH
+add pass tcp from any to any 22 in via fxp0 setup keep-state
+# Allow SMTP only towards the mail server
+add pass tcp from any to relay 25 in via fxp0 setup keep-state
+# Allow zone transfers only by the slave name server [dns2.nic.it]
+add pass tcp from 193.205.245.8 to ns 53 in via fxp0 setup keep-state
# Pass ident probes. It's better than waiting for them to timeout
-${ipfw} add pass tcp from any to any 113 in via ${oif}
-# Pass SSH.
-${ipfw} add pass tcp from any to any 22 in via ${oif}
-# Pass DNS. Only if you have name servers inside.
-#${ipfw} add pass tcp from any to any 53 in via ${oif}
-# Pass SMTP to the mail server only
-${ipfw} add pass tcp from any to mailhost 25 in via ${oif}
+add pass tcp from any to any 113 in via fxp0 setup keep-state
+# Pass the "quarantine" range
+add pass tcp from any to any 49152-65535 in via fxp0 setup keep-state
# UDP section
-# Pass the "quarantine" range.
-${ipfw} add pass udp from any to any 49152-65535 in via ${oif}
-# Pass DNS. Only if you have name servers inside.
-#${ipfw} add pass udp from any to any 53 in via ${oif}
+# Allow DNS only towards the name server
+add pass udp from any to ns 53 in via fxp0 keep-state
+# Pass the "quarantine" range
+add pass udp from any to any 49152-65535 in via fxp0 keep-state
+
+# ICMP section
+# Pass 'ping'
+add pass icmp from any to any icmptypes 8 keep-state
+# Pass error messages generated by 'traceroute'
+add pass icmp from any to any icmptypes 3
+add pass icmp from any to any icmptypes 11
# Everything else is suspect
-${ipfw} add deny log ip from any to any
+add drop log all from any to anyThose of you who have set up firewalls before may notice some things
- missing. In particular, there are no anti-spoofing rules. That is,
- we did not add:
+ missing. In particular, there are no anti-spoofing rules, in fact we did
+ not add:
- ${ipfw} add deny ip from ${us_ip}/24 to any in via ${oif}
+ add deny all from 1.2.3.4/8 to any in via fxp0
- That is, drop packets claiming to be from our network that are
- coming in from the outside. This is something that you would commonly
- do to make sure that someone does not try and evade the packet filter by
+ That is, drop packets that are coming in from the outside claiming
+ to be from our network. This is something that you would commonly do to
+ be sure that someone does not try and evade the packet filter, by
generating nefarious packets that look like they are from the inside.
- The problem with that is that there is at least one host on the outside
- interface that you do not want to ignore—your router. In my
- particular case, I have some machines on the outside and some on the
- inside, but I do not necessarily want the outside machines to have
- routine access to the inside. At the same time, I do not want to throw
- their traffic away. In my own case, my ISP anti-spoofs at their router,
- so I do not need to bother. And in general, the fewer rules the better,
- since it will take time and CPU to process each one.
-
- Note also that the last rule is almost an exact duplicate of the
- default rule 65536. There are two major differences when it comes to
- bridging, however. Our rule logs what it drops, of course, but our rule
- will only apply to IP traffic. Apart from the UDP
- 0.0.0.0 trick there is no way to deal
- with non IP traffic, so the default rule at 65536 will drop ALL traffic,
- not merely all non-IP traffic. So the net effect is that unmatched IP
- traffic will be logged, but not non-IP traffic. If you want, you can
- add option IPFIREWALL_DEFAULT_TO_ACCEPT to your
- kernel configuration and
- non-IP traffic will be passed instead of dropped. But in the case of a
- filtering bridge between you and the Internet, it is unlikely that you
- would want to do this (if you are sufficiently paranoid).
-
- There is a rule for passing SMTP to a mailhost if you have one.
- Obviously the whole ruleset above should be flavored to taste, and
- that is an example of a specific service exemption. Note that
- in order for mailhost to work, name service lookups must work
- BEFORE the bridge is enabled. This is an example of making sure
- that you enable the correct interface.
-
- Another item to note is that the DNS rules are set up only to
- allow DNS servers to work. This means that if do not set up a
- DNS server, you do not need them.
-
- Folks used to setting up IP firewalls also probably are used to
- either having a reset or a forward rule for ident packets
- (TCP port 113). Unfortunately, this is not an option with the
- bridging code, so the path of least resistance is to simply pass
- them to their destination. As long as that destination machine
- is not running an ident daemon, this is relatively harmless.
- The alternative is dropping port 113 connections, which makes
- firing up things like IRC take forever (the ident probe must
+ The problem with that is that there is at least one
+ host on the outside interface that you do not want to ignore: the
+ router. But usually, the ISP anti-spoofs at their
+ router, so we do not need to bother that much.
+
+ The last rule seems to be an exact duplicate of the default rule,
+ that is, do not let anything pass that is not specifically allowed. But
+ there is a difference: all suspected traffic will be logged.
+
+ There are two rules for passing SMTP and
+ DNS traffic towards the mail server and the name
+ server, if you have them. Obviously the whole rule set should be
+ flavored to personal taste, this is only a specific example (rule format
+ is described accurately in the &man.ipfw.8; man page). Note that in
+ order for 'relay' and 'ns' to work, name service lookups must work
+ before the bridge is enabled. This is an example of
+ making sure that you set the IP on the correct network card.
+ Alternatively it is possible to specify the IP address instead of the
+ host name (required if the machine is IP-less).
+
+ People that are used to setting up firewalls are probably also used
+ to either having a 'reset' or a 'forward' rule for ident packets
+ (TCP port 113). Unfortunately, this is not an
+ applicable option with the bridge, so the best thing is to simply pass
+ them to their destination. As long as that destination machine is not
+ running an ident daemon, this is relatively harmless. The alternative is
+ dropping connections on port 113, which creates some problems with
+ services like IRC (the ident probe must
timeout).
- The only other thing that is a little weird that you may have noticed
- is that there is a rule to let ${us_ip} speak and a separate rule to
- allow the inside network to speak. Remember that this is because the
- two sets of traffic will be taking different paths through the kernel
- and into the packet filter. The inside net will be going through the
- bridge code. The local machine, however, will be using the normal IP
- stack to speak. Thus the two rules to handle the different cases. The
- in via ${oif} rules work for both paths. In general if you use in via
- rules throughout the filter, you will need to make an exception for
- locally generated packets, because they did not come in via
- anything.
+ The only other thing that is a little weird that you may have
+ noticed is that there is a rule to let the bridge machine speak, and
+ another for internal hosts. Remember that this is because the two sets
+ of traffic will take different paths through the kernel and into the
+ packet filter. The inside net will go through the bridge, while the
+ local machine will use the normal IP stack to speak. Thus the two rules
+ to handle the different cases. The 'in via
+ fxp0' rules work for both paths. In general, if
+ you use 'in via' rules throughout the filter, you will need to make an
+ exception for locally generated packets, because they did not come in
+ via any of our interfaces.Contributors
- To some extent the material for this discussion is a combination of
- the items that were discussed by Luigi Rizzo in his Dummynet lecture at
- FreeBSDcon '99 and by Mark Murray during his Network Security lecture.
- In addition, for quite some time now I have been putting together
- filtering bridges for friends and colleagues who were getting DSL
- connections for their home.
-
-
+ Many parts of this article have been taken, updated and adapted from
+ an old text about bridging, edited by Nick Sayer. A pair of inspirations
+ are due to an introduction on bridging by Steve Peterson.
+
+ A big thanks to Luigi Rizzo for the implementation of the bridge
+ code in FreeBSD and for the time he has dedicated to me answering all of
+ my related questions.
+ A thanks goes out also to Tom Rhodes who looked over my job of
+ translation from Italian (the original language of this article) into
+ English.
+
+