Transparent bridging firewall

I had occasion today to set up a transparent bridging firewall. It's basically a computer that sits on the wire and silently drops packets matching certain rules.

In my case I wanted to restrict traffic to certain subnets without disturbing anything. So I took an Pentium Pro based HP Vectra (I'm telling you, those old HPs never die!) and put in two PCI-based ethernet cards, an Intel card and a trusty 3Com 905. It was nice that I had two different cards lying around, since they can be easily identified within FreeBSD by their separate interfaces (fxp0 and xl0, respectively). I installed FreeBSD 6.2 from a CD with minimal settings -- in particular, I declined to configure the network interface cards.

After install, I added the following line to /boot/loader.conf:

if_bridge_load="YES"

Added the following lines to /etc/rc.conf to force the two ethernet interfaces up and set up the bridge.

ifconfig_fxp0="up"
ifconfig_xl0="up"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm fxp0 addm xl0 up"
firewall_enable="YES"
firewall_type="/etc/rc.firewall.local"
firewall_quiet="YES"
firewall_logging="YES"

Added the following to /etc/sysctl.conf:

net.link.bridge.ipfw=1
net.link.bridge.ipfw_arp=0

Then I added ipfw rules to /etc/rc.firewall.local.

Note that I did not assign an IP address to either network card. That means the only way into the machine is through the console, and the only way to tell that it's there on the wire is to guess because response time is a tiny bit longer.

So far it looks like even a Pentium Pro is overkill.

Topic: