Version 1 (modified by jhickey, 10 years ago) (diff)

--

gatekeeper.isi.deterlab.net

Gatekeeper is a bridging firewall running FreeBSD 7.3 and pf.

Hardware

  • Dell PowerEdge Chassis
  • Pentium 4 2.4Ghz
  • 256Mb of RAM
  • 40GB Seagate ST340014A Hard Drive

Interfaces

  • Dual Port Card 1
    • em0 internet facing interface (verify)
      • ether 00:04:23:c2:8e:a8
    • em1 testbed facing interface (verify)
      • ether 00:04:23:c2:8e:a9

  • Dual Port Card 2
    • em2 is unused
      • ether 00:04:23:a5:ac:ee
    • em3 10.0.23.0/24 network, address 10.0.23.254
      • ether 00:04:23:a5:ac:ef

Bridging Configuration

  • bridge0 consists of em0 and em1
  • bridge0 is configured in rc.conf with the following lines:
    cloned_interfaces="bridge0"
    ifconfig_bridge0="inet 206.117.25.46 netmask 255.255.255.0 addm em0 addm em1 up"
    ifconfig_em0="up"
    ifconfig_em1="up"
    

PF configuration

  • Two sysctl variables need to be set in order to enable pf on a bridged interface in /etc/sysctl.conf. Rules on bridges have no direction.
    net.link.bridge.pfil_bridge=1
    net.link.bridge.pfil_onlyip=1
    
  • pf is enabled in /etc/rc.conf
    pf_enable="YES"
    pflog_enable="YES"
    
  • The pf.conf file is in CVS under /operations/configuration/gatekeeper
  • The kernel configuration in /operations/configuration/gatekeeper contains the pf and pflog devices:
    device          pf
    device          pflog
    

NAT Configuration

  • We have a NAT'ed network hanging off of gatekeeper for machines that need to access the internet, but do not need to have it.
  • The sysctl variable for ip forwarding is enabled in /etc/sysctl.conf:
    net.inet.ip.forwarding=1