transparent bridge ~ firewall

Brian W. brian at brianwhalen.net
Wed May 21 16:28:25 UTC 2014 

Pfsense comes to mind as a good way to do this. Dummynet is also an option.

Bw
On May 21, 2014 8:56 AM, "Ian Smith" <smithi at nimnet.asn.au> wrote:

> On Wed, 21 May 2014 10:26:24 +0700, Olivier Nicole wrote:
>
>  > >  > > So that firewall rules can be applied between those two
> transparent
>  > >  > > nics? Don't want NAT, don't want routing. Just firewall "allow",
> "drop",
>  > >  > > or re-direct.
>  > > I'm not clear on what 're-direct' means in the context of a
> transparent
>  > > bridge, if it's not doing any routing?  But pressing on ..
>  >
>  > I don't know either, would have to ask the OP :)
>
> I kinda thought I was - but should have preceded that with [Jim] :)
>
>  > > satellite gateway/NAT/proxy box - largely outside our control - and
> our
>  > > internal gateway / router for about a dozen machines, incl some wifi.
>  >
>  > I am sure that was prior 2004. Or maybe just around, I remember it had
> ipfw2.
>
> Checking archives, I see that (the old) bridge.ko still had some issues
> back then, needed compiling into kernel and some arp magic.  Anyway this
> is way too much nostalgia for many, I expect ..
>
>  > >  > I have switched to zeroshell since because I needed captive portal
> too
>  > >  > and neither monowall nor pf sense did offer captive portal on
> bridged
>  > >  > intefaces when I did the change.
>
> Just had another look at m0n0 again after many years, still looks great
> for small boxes like PCengines, Soekris and such, and considered pfsense
> to replace a Linux IPCop router more recently, but I'm about done being
> a volunteer sysadmin these days, and never came across zeroshell.
>
>  > > Not cluey on captive portals, but we had a fairly extensive firewall
>  > > with dummynet shaping, plus local webserver/samba/etc, setup by a
>  > > colleague, also running from the bridge box .. all the client boxes
> just
>  > > ran from a switch.
>  >
>  > Captive portal is the authentication for outgoing users: you open any
>  > web page and get redirected to a login page, then the outgoing
>  > firewall is open for your IP.
>
> Ah, right.  Apart from bandwidth shaping and some port restriction those
> cats went largely unherded; they couln't get into too much mischief on a
> 256kbps sat down / 128kbps ISDN up link, in a small rural town otherwise
> limited to 56kbps dialup - though in retrospect it would've been useful.
>
>  > >  > I am pretty sure that monowall and pfsense do offer bridged
> interfaces.
>  > > As does ipfw.  I'd have to do some serious digging through backups to
>
>  > >
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/
>  >
>  > I am mentioning monowall and pfsense because they are build on FreeBSd
>  > and offer a simple and fully manageable configuration tool: for
>  > someone not really sure how to bridge interfaces, using a tool with a
>  > configuration interface may help.
>
> Indeed, agreed.  Not hard to install and evaluate either fairly quickly.
>
> cheers, Ian
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list