Firewall Setup

Kevin O'Connor kevin at
Sun Dec 21 13:37:52 GMT 2003

Steve, your bridge is setup to connect your whole network behind the
bridge to the router, however you are attempting to connect from an
internal network to an internal network, via the BSD box. I'm assuming
that they are different networks from your diagram, this requires an
additional router, bridge or gateway. As it is now the bridge is aware
of the different networks attached to em1 and em0 and can direct traffic
to/from them, this is exactly what it is designed to do, however a
bridge cannot join to networks attached to a NIC that is not part of the
bridge, ie em2, that is a job for a router and as em1 has no IP address
there is no route. As em0 has an IP address it is routing to em2.

This is based on my understanding of your network layout and if I've got
it wrong this is also wrong.

1 setup an additional bridge

2 scrape the bridge and give em1 an IP address, enable routing on the
BSD box

3 Add an additional NIC to route between the internal networks.

4 remove the IP address 

If your using traffic shaping rules solution 1 is your best bet
Solution 2 would be my preferred method but I don't know how much work
you've done on the rules.
Solution 3 is dangerous as there is a route from the new NIC to the
router, so you'll need a rule to only permit it to talk to em2

Hope this helps, however if not please feel free to msg me off list to
get it sorted.

-----Original Message-----
From: freebsd-users-admin at
[mailto:freebsd-users-admin at] On Behalf Of Steve Greenshaw
Sent: 21 December 2003 12:53
To: kevin at; freebsd-users at
Subject: Re: Firewall Setup

Thanks Kevin,

No, neither em0 or em1 have an ip ... well, em0 has an alias so that NAT
take place.

The bridge works fine. If I sit on the network attached to the em0/em1
bridge everything is fine. I can access the internet etc., etc. If,
I sit no the network attached to em2 ( I cannot access
devices on the em1 ('internal') side of my bridge ... although I can
the internet etc. via the em0 ('external') side of the bridge. It's as
all traffic for the bridged network is being directed at em0, but that
traffic is not being broadcast no the other side of the bridge.


----- Original Message ----- 
From: "Kevin O'Connor" <kevin at>
To: "'Steve Greenshaw'" <steve at>;
<freebsd-users at>
Sent: Sunday, December 21, 2003 2:53 AM
Subject: RE: Firewall Setup

> Steve, are you saying you have set a bridge between em0 and em1 with
> both NICs having IP addresses. If this is the case it is incorrect and
> will not bridge properly, only 1 of the cards in a bridge should have
> IP address assigned, in fact it will work with no IP addresses
> Also you need the bridge option enabled in the kernel.
> Please see the handbook
> ng.html
> As a quick fix try setting static routes in /etc/rc.conf
> Regards
> Kevin
> -----Original Message-----
> From: freebsd-users-admin at
> [mailto:freebsd-users-admin at] On Behalf Of Steve
> Sent: 20 December 2003 22:16
> To: freebsd-users at
> Subject: Firewall Setup
> Hi,
> I wonder if anyone could suggest whether what I am attempting is
> possible?
>                          INTERNET
>                                  |
>                           ROUTER
>                                  |
>                ______FREEBSD_______
>               |                                           |
>            em1                  (em2)
>               |                                           |
>           DMZ                                PRIVATE
> This setup is on FreeBSD 4.9 with IPFILTER and IPNAT. This choice,
> rather
> than IPFW and NATD is so that the GUI 'fwbuilder' (
> can be
> used by several admins who are purely Windows users. At a pinch I
> use
> IPFW with fwbuilder and just write any NAT rules myself for NATD, but
> it's
> much neater to have fwbuilder do the lot.
> The addresses are public IP's from the same single
> C
> network. For historical and management/manpower reasons it is just not
> possible to subnet this network at present so I've set up a bridge
> between
> em0 and em1 with em0 having an aliased address that ipnat uses for
> outbound
> connections from the network.
> Preliminary testing has shown that filtering can and does take place
> allow only restricted services access to certain adresses within the
> DMZ,
> whilst allowing the DMZ access to necessary services on the internet.
> works fine to allow the PRIVATE net access to the internet.
> My problem is that no matter what I do (i.e. the only rule now in
> is
> to allow all to any via any) I cannot reach the DMZ from within the
> network. I need to do this to get at DNS, SMTP etc. I just can't see
> this is not possible or where I am going wrong. From the firewall box
> itself
> I get a 'no route to host' if I try to contact a machine on the DMZ. I
> can
> contact the router though. It's as if the default route for the
> network is via em0 (which I can understand), but I
> understood that a bridge between em0 and em1 would mean that anything
> broadcast on em0 would also be broadcast on em1 so allowing me access
> the
> DMZ.
> Is there a routing entry that I'm missing somewhere? I'm not actually
> setting any routes but the default gateway in rc.conf of
> Any suggestions or pointers would be appreciated.
> Cheers,
> Steve.
> ------ FreeBSD UK Users' Group  -  Mailing List ------
> ------ FreeBSD UK Users' Group  -  Mailing List ------

------ FreeBSD UK Users' Group  -  Mailing List ------

More information about the Ukfreebsd mailing list