Shortcuts

Search Users Guide

9.6. Bridge ports
Prev Next

9.6. Bridge ports

Bridge management for Linux firewalls was introduced in Firewall Builder V4.0 and support for bridges in BSD (OpenBSD and FreeBSD) firewalls was added in Firewall Builder V4.2. The generated script can manage bridge interfaces as follows:

  • The generated script includes shell code to manage bridge interfaces if checkbox "Configure bridge interfaces" is turned on in the "Script" tab of the firewall object "advanced" settings dialog. By default, it is turned off.

  • On Linux firewalls, the generated firewall script uses brctl tool which should be present on the firewall. The script checks if brctl is available and aborts if it cannot find it.

  • On OpenBSD firewalls, the generated firewall script uses brconfig tool which should be present on the firewall. The script checks if brconfig is available and aborts if it cannot find it.

  • On FreeBSD firewalls, the generated firewall script uses ifconfig tool which should be present on the firewall. The script checks if ifconfig is available and aborts if it cannot find it.

  • The script checks if the bridge interface configured in the GUI exists on the firewall and creates it if necessary.

  • It then checks if the bridge interface on the firewall is configured with bridge ports that were defined in the GUI. It adds those that are missing and removes those that are not configured in the GUI.

  • Adding VLAN interfaces as bridge ports, as well as mixing regular Ethernet and VLAN interfaces is supported. That is, the following configuration can be configured in Firewall Builder and the generated script will create it: 

    bridge name bridge id    STP enabled    interfaces
br0  8000.000c29f6bebe   no             eth4.102
                                        eth5

  • In order to use a VLAN interface as bridge port, it needs to be created twice in the GUI. The first time, it is created as a child of the regular Ethernet interface and has type "VLAN". The second interface object with the same name should be created as a child of a bridge interface with a type "ethernet".

9.6.1. Enabling Bridge Interface Management

To enable Firewall Builder bridge interface management, click the "Configure bridge interfaces" option in the Firewall Settings of the firewall that will include bridge interfaces.

Figure 9.22. Example Configuration; Interfaces eth1 and eth2 Will Become Bridge Ports

Example Configuration; Interfaces eth1 and eth2 Will Become Bridge Ports


With this setting enabled Firewall Builder the generated firewall script will manage bridge interfaces on the firewall incrementally. This includes removing any bridge interfaces that are defined on the firewall system but are not defined in the Firewall Builder configuration.

Note

You can use Firewall Builder to configure rules for firewalls that have a bridge interface(s) that are not being created and managed by the Firewall Builder generated script. In this case, you need to create an interface object in Firewall Builder that has a name that matches the name of the bridge interface on the firewall system.

For example, if you have a Linux firewall that is already configured with a bridge interface called br0, and you don't want Firewall Builder to manage creating the interface, create an interface object on your firewall called br0 with no child objects. Use this interface object in rules to represent the br0 interface.

Prev  Up  Next
9.5.2. VLAN Interface Management on BSD  Home  9.6.2. Bridge Interface Management on Linux
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.