[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kinda advanced question on bridging firewall config

  I already opened a change-request on this with sendbug, because I
don't think it's working the way it ought to.  I'm doing my own testing
as well, but I thought I'd also ask on the list if anybody else is
doing this kind of configuration successfully.

  I'm trying to set up my OpenBSD box as a transparent IP firewall -
not doing NAT - within a single small IP subnet which includes the
router, the OpenBSD box, and several other computers.  I want to let
all the computers on the inside keep their current static (and
Internet-routable) IP addresses, by using bridging on OpenBSD without
having to use two subnets and route between the inside and outside
nets.  The idea is to protect my home network without needing to do all
kinds of helper proxies on the firewall, like NAT requires for
protocols like RealAudio etc.

  That sounds confusing, so maybe a diagram would help.  Let's say the
subnet is x.y.z.0/29 (i.e. there are 8 addresses, minus the network 0
address, router address (.1) and broadcast address (.7)

  (no IP address)                 x.y.z.1
 [ADSL "modem"] - ADSL(bridged)- [ISP router] - Internet   
   |                              * Default gateway for whole network!
   | 10BaseT
   | ne3
 [OpenBSD box] x.y.z.6  
   | ne4
   | 10BaseT
  (10BaseThub)--10BaseT--[PC 1] x.y.z.2
           | |
           | +--10BaseT--[Mac 1] x.y.z.3
           +----10BaseT--[PC 2] x.y.z.4

  If this configuration worked, it would be entirely transparent to the
inside computers that they are going through the firewall, but they'd
be under its protection (and also able to access it directly as a
server under its own address.) According to the docs, I should be able
to do this by defining a bridged interface including Ethernet
interfaces ne3 and ne4, and have IP traffic passed between them under
the control of IP filters.

  In reality, ifconfig doesn't let me assign the x.y.z.6 address to the
bridged interface (which would be logical) and if I assign it to either
one of the interfaces ne3 or ne4, the OpenBSD machine won't "see"
anything on the other subnets, so everything on the inside of the
firewall ends up cut off from the Internet.

  Has anybody else played with bridging and gotten anything like this
to work - where the OpenBSD system is communicating via IP with both
sides of the bridge - or does anyone have an alternate suggestion for
making this general layout to work without using NAT or ending up
losing a bunch of IP addresses by re-subnetting?

  -- Clifton

 Clifton Royston  --  LavaNet Systems Architect --  cliftonr_(_at_)_lava_(_dot_)_net
        "An absolute monarch would be absolutely wise and good.  
           But no man is strong enough to have no interest.  
             Therefore the best king would be Pure Chance.  
              It is Pure Chance that rules the Universe; 
          therefore, and only therefore, life is good." - AC

Visit your host, monkey.org