Changes between Initial Version and Version 1 of gatekeeper.isi.deterlab.net

Timestamp:

Jun 15, 2010 5:04:32 PM (14 years ago)

Author:

jhickey

Comment:

--

gatekeeper.isi.deterlab.net

@@ +1 @@
+== gatekeeper.isi.deterlab.net ==
+
+Gatekeeper is a bridging firewall running FreeBSD 7.3 and pf.
+
+=== Hardware ===
+
+ * Dell PowerEdge Chassis
+ * Pentium 4 2.4Ghz
+ * 256Mb of RAM
+ * 40GB Seagate ST340014A Hard Drive
+
+=== Interfaces ===
+ * Dual Port Card 1
+  * em0 internet facing interface (verify)
+   * ether 00:04:23:c2:8e:a8
+  * em1 testbed facing interface (verify)
+   * ether 00:04:23:c2:8e:a9
+  
+ * Dual Port Card 2
+  * em2 is unused
+   * ether 00:04:23:a5:ac:ee
+  * em3 10.0.23.0/24 network, address 10.0.23.254
+   * ether 00:04:23:a5:ac:ef
+
+=== Bridging Configuration ===
+
+ * bridge0 consists of em0 and em1
+ * bridge0 is configured in rc.conf with the following lines:
+   {{{
+   cloned_interfaces="bridge0"
+   ifconfig_bridge0="inet 206.117.25.46 netmask 255.255.255.0 addm em0 addm em1 up"
+   ifconfig_em0="up"
+   ifconfig_em1="up"
+   }}}
+
+=== PF configuration ===
+
+ * Two sysctl variables need to be set in order to enable pf on a bridged interface in /etc/sysctl.conf.  Rules on bridges have no direction.
+   {{{
+   net.link.bridge.pfil_bridge=1
+   net.link.bridge.pfil_onlyip=1
+   }}}
+ * pf is enabled in /etc/rc.conf
+   {{{
+   pf_enable="YES"
+   pflog_enable="YES"
+   }}}
+
+ * The pf.conf file is in CVS under /operations/configuration/gatekeeper
+
+ * The kernel configuration in /operations/configuration/gatekeeper contains the pf and pflog devices:
+   {{{
+   device          pf
+   device          pflog
+   }}}
+
+
+=== NAT Configuration ===
+
+ * We have a NAT'ed network hanging off of gatekeeper for machines that need to access the internet, but do not need to have it.
+ * The sysctl variable for ip forwarding is enabled in /etc/sysctl.conf:
+ {{{
+ net.inet.ip.forwarding=1
+ }}}
+