Invisible gateway - bridge

A bridge in our context is a machine with two or more network interfaces, located in between the Internet and one or more internal networks, and the network interfaces are not assigned IP addresses. If the machine in question runs OpenBSD or a similarly capable operating system, it is still able to filter and redirect traffic. The advantage of such a setup is that attacking the firewall itself is more difficult. The disadvantage is that all admin tasks must be performed at the firewall's console, unless you configure a network interface which is reachable via a secured network of some kind, or even a serial console.

The exact method for configuring bridges differs in some details between the operating systems. Below is a short recipe for use on OpenBSD, which for good measure blocks all non-Internet protocol traffic. Setting up a bridge with two interfaces:

/etc/hostname.ep0

up

/etc/hostname.ep1

up

/etc/bridgename.bridge0

  add ep0 add ep1 blocknonip ep0 blocknonip ep1 up

/etc/pf.conf

ext_if = ep0
int_if  = ep1
interesting-traffic = { ... }
block all
pass quick on $ext_if all
pass log on $int_if from $int_if to any port $interesting-traffic \
     keep state

Significantly more complicated setups are possible. Experienced bridgers recommend picking one of the interfaces to perform all filtering and redirection. All packets pass through PF's view twice, making for potentially extremely complicated rules.

In addition, the OpenBSD brconfig command offers its own set of filtering options in addition to other configuration options. The bridge(4) and brconfig(8) man pages offer further information.

FreeBSD uses a slightly different set of commands to configure bridges, while the NetBSD PF implementation supports bridging only with a slightly customized kernel[1] .

Notes

[1]

See The NetBSD PF documentation for details.