I have stumbled onto a problem with the bridging code (options BRIDGE) with
IPFIREWALL. Please review my beautiful ASCII art below.
Internet
|
----------
| Host A |
----------
|
| 24.2.0.1
/ \
/ \
/ \
/ \
24.2.0.1 | | 24.2.0.2
| |
---------- ----------
| Host B | | Host C |
---------- ----------
In this case, Host A has two NICS. The external interface is not assigned
an IP address but th internal interface is assigned 24.2.0.1 (example IP
only). Host A is running the in kernel bridging code so that Host B and
Host C can have public IP addresses instead of using NAT. Host A also is a
firewall that protects itself and Host B and C.
The problem rears its ugly head when I start with both Host B and Host C
down. If I start Host B first. All is well, it can communicate with the
Internet and with Host A. If I then start Host C, all becomes "unwell".
Both Host B and C can still communicate with the Internet, but they can not
communicate with Host A. Most often the rest of the net can not communicate
with Host A either. isc-dhcpd is running on Host A and it assigns IP
addresses to Hosts B and C. Thus, I need the public IP address for Host A
assigned to the internal NIC (?). Why would Host A suddenly drop of the
face of the earth when Host C comes up and yet bridging still functions
normally for access to the Internet??? Adding 'ipfw add 1 pass all from
any to any' to Host A has not opened up access to Host A. So something more
sinister is at work here.
If I change the bridging code over to NETGRAPH - this scenario does not
happen. All communication works just fine between all the hosts and the
Internet, however, all firewall rules that would apply to Host B and C seem
to quit working. In other words - all the hosts, except for Host A, are
left completely unprotected. I have tried using IPFILTER with both the in
kernel bridging code and NETGRAPH and have come to the same conclusion.
There is no way to filter the bridged packets.
So, I have a dilemna. How do I get bridging to work and yet firewall the
bridged packets - and still keep Host A on the Internet?
I am aware that bridging was not originally intended to bridge across
interfaces that themselves have IP addresses - yet this seems to be a common
thing. The new bridging code in Linux was designed to do just that - but I
would prefer not to have to play with that on my production machine.
The closest I have come to a solution currently is to use ipfilter with
ipnat and bimap to simulate the same thing. But it isn't the same thing. I
really do need public access to these IP addresses and I need them
firewalled in route to the Internet.
Would Proxy ARP subnetting accomplish the same thing? Can I do this on
FreeBSD with any ease?
Can anybody help me with this?
Thanks for reading this far :)
Thanks in advance for any assistance,
Tom Veldhouse
[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message