 |
FirewallBuilder |
|
Search Users Guide
On BSD firewalls, the script generated by Firewall Builder can create and remove bridge interfaces such as "bridge0" and also add and remove regular Ethernet interfaces as bridge ports. This function is controlled by the checkbox "Configure bridge interfaces" in the "Script" tab of the firewall object Firewall Settings dialog as shown in Section 9.6.1. By default, bridge interface management is turned off.
As with IP addresses and vlans, the script manages bridges incrementally. It compares actual configuration of the firewall with objects defined in the Firewall Builder GUI and then adds or removes bridge interfaces and bridge ports. Running the same script multiple times does not make any unnecessary changes on the firewall. If actual configuration matches objects created in the Firewall Builder GUI, the script does not perform any actions and just exits.
For OpenBSD systems, the script uses utility brconfig to configure the bridge. It checks if the utility is present on the firewall machine and aborts execution if it is not found. If this utility is installed in an unusual place on your machine, you can configure the path to it in the "Host OS" settings dialog of the firewall object.
For FreeBSD systems, the script uses utility ifconfig to configure the bridge. It checks if the utility is present on the firewall machine and aborts execution if it is not found. If this utility is installed in an unusual place on your machine, you can configure the path to it in the "Host OS" settings dialog of the firewall object.
To illustrate bridge management on FreeBSD, consider firewall object "freebsd-test-bridge-1" shown on Figure 9.32:
To build the bridge, I need to create the bridge interface "bridge0". This interface is just a regular child object of the firewall object in the tree: to create it, select the firewall and right-click to open the context menu, then select "New Interface". The new interface is created with the generic name "Interface"; rename it to "bridge0".
To make bridge0 a bridge interface, open it in the editor by double clicking it in the tree and then click "Advanced Interface Settings" button. This opens a dialog where you can change interface type and configure some parameters. Set type to "Bridge" and turn STP on if you need it.
Now we need to add the interfaces that will be bridge ports of this bridge. Right-click the bridge0 interface and select New Interface. This creates a child interface object below the bridge0 interface. Rename this interface to match the physical interface on the server that will be a bridge port. In this example we will use the em1 interface.
Firewall Builder will automatically detect that this interface is a bridge port since the parent interface type is set to bridge.
Add the second bridge port by repeating the process and adding another child interface to bridge0. In this example, the second interface is em2.
Bridge interfaces can be optionally configured with an IP address. If the bridge interface is not going to have an IP address assigned the bridge interface needs to be updated to be an unnumbered interface. Double-click the bridge0 interface to open it for editing. Click the radio button to set the type to Unnumbered interface.
Compiling and installing the generated script on a FreeBSD 8.1 firewall named free-bsd-1 results in the following bridge0 interface configuration.
free-bsd-1# ifconfig bridge0
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 22:ae:66:38:73:c7
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 20000
member: em2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 3 priority 128 path cost 20000
free-bsd-1#
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.