OpenBSD Journal

HOWTO: Transparent Packet Filtering with OpenBSD

Contributed by jose on from the stealthy-packeteering dept.

chris writes :
"This months daemon news has an article about transparent packet filtering (bridged firewall) using OpenBSD/PF. "
You can find the article on the DaemonNews site . This month also features a discussion about setting up ISC's DHCP server suite (under FreeBSD, but most of the dicussion carries over).

(Comments are closed)

  1. By fansipans () on

    bridge mode filtering is a fabulous addition to any network that already has an openbsd box doing nat stuff, just throw in two more network cards into your nat box (one for incoming bridge packets, and another for outgoing) then just add the rules as described in this article and other available documentation, and you've got more protection for your existing computers

    1. By RC () on

      There's not much point to doing transparent filtering on as well as NAT (expecially on the same box). You might as well just do standard PF.

      1. By fansipans () on

        a number of factors go into it: a limited number of publicly available ips, legacy computers which cannot be modified to use a different ip (think horribly ugly lotus notes programs with every url hardcoded) and computers which even given a surplus of ips should not be in the public domain (think private cvs server, testbed development computers and totally untrustable windows machines ). so, there is a point actually. but just for me. none of these reasons apply to anyone else though =D

        1. By RC () on

          Well I made that comment because you said you also have a box doing NAT. Given that, you could just as well be doing PF on that same NAT box.

          I'm not going to say there's no situation where a packet-filtering bridge would be necessecary, but I seriously doubt that there is, and certainly can't think of any such situation.

          1. By Michael Anuzis () on

            One example use of transparent bridge firewalls that comes to mind right off the bat is in running a honeynet.

            A transparent bridge is nearly completely invisible to the hacker(s) involved because it has no IP addresses, so it's able to log everything to/from a honeypot without the attacker having any clue as to its existence, giving the potential for a honeypot with much more realistic features.

          2. By fansipans () on

            well a single openbsd machine performing nat for a private network to access the world through one ip, and transparent bridge filtering for a few other computers close by happened to be a great solution to a problem i'd had recently, what i'm trying to encourage in people my mentioning this is that it's okay to think outside the box. you can have a nat+pf box do work for more than one set of computers, you can have more than two network cards in a firewall, you can setup pf in front of a dozen production servers without changing a single bit on said production servers =] the question is what do you need and what makes sense for that need?

          3. By Frank K () on

            If you only got one IP from you ISP and at the same time want to filter by MAC address for some reason.

            One exsample I belive would be that if you always rely on your laptop, you could use it for administration wherever you are in the world..

            - Frank

        2. By Cindy () on

          What the hell is wrong with Lotus Notes? If you have to support Lotus Notes Programs/Databases which are poorly writen that is not the fault of Lotus Notes. Url names rarely change, but IP adresses do, having a url hardcoded is a lot better then having an IP adress hardcoded.

          -- Cindy

          1. By Sean () on

            Interesting, what does Lotus Notes have to do with transparent bridging on OpenBSD :)

            1. By Cindy () on

              If you read the comments above, it referes to Lotus Notes as being a problem. And since the comment was posted, I felt it allow me to comment on it.

              In case you didn't read the comment I have copied and pasted it below. " (think horribly ugly lotus notes programs with every url hardcoded) "


  2. By Anonymous Coward () on

    This is great, next could be how to access your firewall remotely if it doesn't have any IP addresses. A third interface connected to the inside? What snags with adding a third interface?

    I suppose you can get pfstat to graph packets just as easily in bridge mode (have not tried it myself yet) but you need to be able to get to tbox to view the graphs.

    I'm glad to see articles coming out more and more, all add to the universe of knowledge.

    1. By jose () on

      the same way you do with a regular bridge or appliance firewall: serial console. works for me, and i never firewall myself off line.

      1. By Dom () on

        Good policy, but if it's an onsite box, managing it though the net is not problem. I actually bind a IP to the "inside" (bridged) interace and things are fine. This didn't work prior to v3.0.

        MRTG works a treat on monitoring the bridged interfaces, and I even send SNMP queries out of the box to monitor my external router etc.

        Oh, and I even have IP forwarding on for those times when you need NAT, e.g. via a VPN :-)

    2. By Chris "Saundo" Saunderson () on

      Put the 3rd interface in or use the serial console.

      I remember hearing Tom Limoncelli describe the bridged firewall in 98 and his solution was to put a 3rd interface into the box.

      Alternatively, you could just bind an address on the internal interface and manage by that, but I think that if you're in a production environment, your terminal server gives a more secure method of managing that environment. Presuming that your term server is also secure, but that's a different story.

  3. By jolan () on

    Okay. It scares me greatly that a guy who says you need to reboot to set-up a bridge and activate pf is writing a book about OpenBSD.

    1. By Sean () on

      It doesn't take a reboot to set up a bridge, but the guy meant "reboot and verify", reboot just to check that all works fine... IMHO.

    2. By Some guy () on

      Think of it as a spell-checker. If I just added a mistake to an init script, I'd rather find it and fix it now, than next year when I'm rebooting the server for some unrelated reason. By then, I won't remember what I'm doing today.

  4. By zil0g () on

    hey how about doing NAT on a bridging OBSD box?
    just 'snort' the interfaces and NAT the relevant ips.
    w00h00 invisible NAT!
    nothing can stop us now!


    1. By jonathan () on

      er, the reason the bridge is invisible is that the nics have no ip addresses.

  5. By Scooter () on

    How To?

    Transparent Bridging Router with Razor and SpamAssassin filtering doing NAT with 3+ NICs.

    nevermind about that XML - just a reflex


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]