The following describes how to use the FreeBSD kernel-Supported BRIDGE, IPFIREWALL, and DUMMYNET options to create a FreeBSD-based Transparent Traffic control firewall (BRIDGE mode) to restrict traffic and filter packets. You can build a traffic control firewall on any compatible FreeBSD hardware,
Overview
The FreeBSD kernel supports the BRIDGE, IPFIREWALL, and DUMMYNET options to establish a FreeBSD-based Transparent Traffic control firewall (BRIDGE mode) to limit traffic and packet filtering.
Preparation
You can build a traffic control firewall on any FreeBSD compatible hardware. However, based on performance and management considerations, we recommend that you:
Use Intel PII450 or above processors
Use at least 128 MB RAM
High-performance 10/100 Mbps adaptive network adapter
If you have more than one set of bridging devices, we recommend that you use a dual-processor system.
Prepare a separate network adapter for management.
--------------------------------------------------------------------------------
Instance
Lenovo 1300 PC server, with an Intel PII300 processor, configured with 128 mb ram, the motherboard is integrated with the Intel 82557 network adapter, and the other is proud? Block 3Com 3C905B 10/100 Mbps adaptive PCI network adapter.
--------------------------------------------------------------------------------
Install
Install FreeBSD in the latest version. Can I get the current FreeBSD version from www.FreeBSD.org ?.., Use FreeBSD 4.3 RELEASE or a later version.
You must install the "sys" section in the operating system source code. after the installation is complete, you must recompile the system kernel to support necessary traffic control firewall options.
--------------------------------------------------------------------------------
Instance
Install the FreeBSD-4.3-20010818-STABLE version from
Ftp://releng4.freebsd.org/pub/FreeBSD/snapshots/i386/
. Use the FTP installation method. the installation options are as follows:
[X] bin
[X] crypto
[X] man
[X] src-> sys
--------------------------------------------------------------------------------
Configuration
After installing the operating system, you must re-compile the system kernel to enable it to support the option of bridging traffic control firewall. You must add the following content to the system kernel compilation configuration file: options BRIDGE
Options DUMMYNET
Options IPFIREWALL
Options IPFIREWALL_DEFAULT_TO_ACCEPT
After the system kernel is re-compiled, the computer must be restarted.
--------------------------------------------------------------------------------
Instance
# Cd/usr/src/sys/i386/conf
# Cp GENERIC BRGFW
# Echo "options BRIDGE"> BRGFW
# Echo "options DUMMYNET"> BRGFW
# Echo "options IPFIREWALL"> BRGFW
# Echo "options IPFIREWALL_DEFAULT_TO_ACCEPT"> BRGFW
# Config
# Cd.../compile/BRGFW
# Make depend all install
# Reboot
--------------------------------------------------------------------------------
After the computer is restarted, use the following command to activate the option of bridging traffic control firewall:
Sysctl-w net. link. ether. bridge_ipfw = 1
Sysctl-w net. link. ether. bridge_cfg = ""
Sysctl-w net. link. ether. bridge = 1
The bridge_cfg parameter is used to set multiple groups of bridging devices. you can ignore this parameter if only one group of bridging devices is considered. The instance uses the integrated Intel 82557 network adapter as the management network, and the other 3Com 3C905B network adapter is divided into two groups of bridges.
--------------------------------------------------------------------------------
Instance
# Sysctl-w net. link. ether. bridge_ipfw = 1
# Sysctl-w net. link. ether. bridge_cfg = "xl0: 0, xl1: 0, xl2: 1, xl3: 1"
# Sysctl-w net. link. ether. bridge = 1
--------------------------------------------------------------------------------
Use
Use the ipfw command to control traffic and firewall policies. Traffic control is implemented as a firewall policy, so ipfw is the only management interface. Use an instance to describe how to use ipfw.
In the instance, the network segment 192.168.254.0/24 goes through the first group of bridges, the network segment 192.168.250.0/24 goes through the second group of bridges, and the following policy is set up:
All ICMP connections are allowed. The total traffic limit is 10 Kbit/s.
All UDP connections are allowed. The total traffic limit is 100 Kbit/s.
Allow all TCP connections to the CIDR block 192.168.254.0/24. the traffic limit is 5 Mbit/s.
Allow TCP to host 192.168.250.222 HTTP connection, the traffic limit is 2 Mbit/s
Allow all other TCP connections to host 192.168.250.0/24, and the traffic limit is 1 Mbit/s.
Disable all other connections
--------------------------------------------------------------------------------
Instance
# Ipfw-flush
# Ipfw add 100 pipe 1 icmp from any to any
# Ipfw pipe 1 config bw 10 Kbit/s
# Ipfw add 200 pipe 2 udp from any to any
# Ipfw pipe 2 config bw 100 Kbit/s
# Ipfw add 300 pipe 3 tcp from 192.168.254.0/24 to any
# Ipfw pipe 3 config bw 5 Mbit/s
# Ipfw add 400 pipe 4 tcp from any to 192.168.254.0/24
# Ipfw pipe 4 config bw 5 Mbit/s
# Ipfw add 500 pipe 5 tcp from any to 192.168.250.222 80
# Ipfw pipe 5 config bw 2 Mbit/s
# Ipfw add 600 pipe 6 tcp from 192.168.250.222 80 to any
# Ipfw pipe 6 config bw 2 Mbit/s
# Ipfw add 700 pipe 7 tcp from 192.168.250.0/24 to any
# Ipfw pipe 7 config bw 1 Mbit/s
# Ipfw add 800 pipe 8 tcp from any to 192.168.250.0/24
# Ipfw pipe 8 config bw 1 Mbit/s
# Ipfw add 60000 deny ip from any to any
# Ipfw-a l