On Jan 29, 2008, at 6:50 AM, Chris wrote:

Hi,

I have 3 transparent firewalls on 3 T1s with a LAN behind each
supporting multiple servers.

Existing:
Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1
Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2
Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3

These firewalls are workstation class computers running
FreeBSD 6.2, if_bridge and ipfw. This has worked quite well
with the exception of hardware failures because of the
workstations hardware. I can afford one server-class blade
with 3 2-port NICs, but not three complete quality servers.
I would like to get to one firewall machine yet maintain the
isolation of the circuits and servers.

Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw
AllServers<->Switch<->FreeBSD Firewall<->T1 Router1
                                                        <->T1 Router2
                                                        <->T1 Router3
or
     1 firewall 6 nics, if_bridge (3 bridges) and ipfw
Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1
Servers2<->Switch2<->                       <->T1 Router2
Servers3<->Switch3<->                       <->T1 Router3

Initially I designed the replacement using a single if_bridge
with a single LAN backbone as shown first here. After trying
to design the rules, I concluded that it was either illogical
or beyond my ipfw rule skills. Then it occurred to me to try
to run three if_bridge devices as shown in the second Target
One box, 6 NICs, 3 networks kept isolated for arp but
IP-managed in a single instance of ipfw.

I got as far as attempting this:

ifconfig bridge0 create
ifconfig bridge0 addm rl0 addm em0 up
ifconfig bridge1 create
ifconfig bridge1 addm vx0 up

It created the devices but obviously is not something I could
test to see if it actually worked as two discrete bridges. I've
no additional hardware, but before I buy anything, I thought
I could simply ask if if_bridge is meant to do this. I have
googled, checked man (if_bridge, ipfirewall, ipfw), and the
handbook, but I can't find anywhere that specifically says
if_bridge is designed to support multiple bridges on one
computer.

My questions are:

1. Is if_bridge is designed to support more than one bridge
on a single machine by creating multiple bridge devices (only,
of course with multiple NICs on the second and tertiary
bridges)?

2. If so, does it retain complete isolation of the bridges (e.g.
for ARP) while allowing ipfw to examine all three simultaneously?

3. Should I be exploring a different FreeBSD route to
implement this.


The response to this message can be found on FreeBSD-Net.
The answer was affirmative on the use of multiple bridges
on one FreeBSD installation using if_bridge. Alternate suggestion
was to use a single bridge with private flag on each interface.

Pardon the extra intrusion but I'd hate for someone to google
this and not find the answer. ... and sorry I posted to the wrong list
initially.

Chris


Please let me know if this should actually go to the
FreeBSD-Net List.

Thank you,
Chris Pratt

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]"

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to