gatekeeper.isi.deterlab.net

Gatekeeper is a bridging firewall running FreeBSD 7.3 and pf.

Hardware

• Dell PowerEdge Chassis
• Pentium 4 2.4Ghz
• 256Mb of RAM
• 40GB Seagate ST340014A Hard Drive

Interfaces

• Dual Port Card 1
  • em0 internet facing interface (verify)
    • ether 00:04:23:c2:8e:a8
  • em1 testbed facing interface (verify)
    • ether 00:04:23:c2:8e:a9

• Dual Port Card 2
  • em2 is unused
    • ether 00:04:23:a5:ac:ee
  • em3 10.0.23.0/24 network, address 10.0.23.254
    • ether 00:04:23:a5:ac:ef

Bridging Configuration

• bridge0 consists of em0 and em1
• bridge0 is configured in rc.conf with the following lines:

  cloned_interfaces="bridge0"
  ifconfig_bridge0="inet 206.117.25.46 netmask 255.255.255.0 addm em0 addm em1 up"
  ifconfig_em0="up"
  ifconfig_em1="up"
  

PF configuration

• Two sysctl variables need to be set in order to enable pf on a bridged interface in /etc/sysctl.conf. Rules on bridges have no direction.

  net.link.bridge.pfil_bridge=1
  net.link.bridge.pfil_onlyip=1
  

• pf is enabled in /etc/rc.conf

  pf_enable="YES"
  pflog_enable="YES"
  

• The pf.conf file is in CVS under /operations/configuration/gatekeeper

• The kernel configuration in /operations/configuration/gatekeeper contains the pf and pflog devices:

  device          pf
  device          pflog
  

NAT Configuration

• We have a NAT'ed network hanging off of gatekeeper for machines that need to access the internet, but do not need to have it.
• The sysctl variable for ip forwarding is enabled in /etc/sysctl.conf:

  net.inet.ip.forwarding=1