6 - Networking
filter on one interface. Your default "Pass all" statements would look something like this: 
pass in on ep0 all
pass out on ep0 all
pass in on fxp0 all
pass out on fxp0 all
Now, let's say I wish to filter traffic hitting these old machines, I want only Web and SSH traffic to 
reach them. In this case, we are going to let all traffic in and out of the 
ep0
interface, but filter on the 
fxp0
interface, using 
keep state
to handle the reply data: 
# Pass all traffic through ep0
pass in quick on ep0 all
pass out quick on ep0 all
# Block fxp0 traffic
block in on fxp0 all
block out on fxp0 all
pass in quick on fxp0 proto tcp from any to any port {22, 
80} \
flags S/SA keep state
Note that this rule set will prevent anything but incoming HTTP and SSH traffic from reaching either the 
bridge machine or any of the other nodes "behind" it. Other results could be had by filtering the other 
interface. 
To monitor and control the bridge you have created, use the 
ifconfig(8)
command, which can also be 
used to create a bridge after boot. 
Tips on bridging
●
It is HIGHLY recommended that you filter on only one interface. While it is possible to filter on 
both, you really need to understand this very well to do it right. 
●
By using the blocknonip option of 
ifconfig(8)
 or in 
hostname.bridge0
, you can prevent non-IP 
traffic (such as IPX or NETBEUI) from slipping around your filters. This may be important in 
some situations, but you should be aware that bridges work for all kinds of traffic, not just IP. 
●
Bridging requires that the NICs be in a "Promiscuous mode" -- they listen to ALL network 
traffic, not just that directed at the interface. This will put a higher load on the processor and bus 
than one might expect. Some NICs don't work properly in this mode, the TI ThunderLAN chip (
tl
(4)
) is an example of a chip that won't work as part of a bridge. 
http://www.openbsd.org/faq/faq6.html (22 of 33)9/4/2011 10:02:06 AM

6 - Networking

Download 1.27 Mb.

Do'stlaringiz bilan baham: