# Layer 2 Apps under FreeBSD



## overmind (Sep 24, 2009)

Hello,

I want to know what programs/apps do you know under FreeBSD that can work with Layer 2 bridge mode.

For example it is possible to setup under a FreeBSD box with two network cards configured as a bridge, and put that box behind a router and my LAN and filter HTTP traffic, FTP traffic and POP, IMAP, SMTP, transparent ? I know that those services are working on Layer 3 but still I heard there are some solutions for bridge mode for antivirus filtering.

I only used bridge mode to separe switched network (arp broadcasts).

Tell me what you think.


----------



## aragon (Sep 24, 2009)

overmind said:
			
		

> For example it is possible to setup under a FreeBSD box with two network cards configured as a bridge, and put that box behind a router and my LAN and filter HTTP traffic, FTP traffic and POP, IMAP, SMTP, transparent ? I know that those services are working on Layer 3 but still I heard there are some solutions for bridge mode for antivirus filtering.


if_bridge(4)


----------



## SirDice (Sep 24, 2009)

overmind said:
			
		

> I only used bridge mode to separe switched network (arp broadcasts).


Actually, you use bridging to connect 2 networks on layer 2, not separate them.

As for your other questions:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html

You can use any of the three supported firewalls.


----------



## overmind (Sep 24, 2009)

Yes, you are right, you connect two networks (on Layer 3 so computers will see each other on the same subnet without any router) but you also can use it to separate Layer2 traffic (if you do not want Layer2 traffic from the other network to come to your network) you can use this setup. 

I've noticed from your link that a firewall can be used on bridge mode. I used that to filter macs. It is possible on layer2 to filter also by IP?

And second question: there are any other applications from ports that work on layer 2 (on FreeBSD in bridge mode) besides firewall? For example an app to filter SMTP, IMAP, http traffic?


----------



## SirDice (Sep 24, 2009)

overmind said:
			
		

> Yes, you are right, you connect two networks (on Layer 3 so computers will see each other on the same subnet without any router)


No, by bridging you are connecting two networks on layer 2. Because they are connected on layer 2 you can use the same layer 3 subnet.



> but you also can use it to separate Layer2 traffic (if you do not want Layer2 traffic from the other network to come to your network) you can use this setup.


That's not the function of a standard bridge, there's usually no point in bridging if you don't want layer 2 connectivity. You segment IP networks (broadcast domains) to tone down layer 2 traffic. This is typically done with VLANs but could of course also be done by 'physically' separating the network segments with a router.



> I've noticed from your link that a firewall can be used on bridge mode. I used that to filter macs.


That's possible.



> It is possible on layer2 to filter also by IP?


No because layer 2 has no notion of IP addresses. That's layer 3/4. But yes, you can use an fbsd box with 2 bridged interfaces to also filter on layer 3/4 (IP addresses). You have all the functionality of the firewall you are using.



> And second question: there are any other applications from ports that work on layer 2 (on FreeBSD in bridge mode) besides firewall? For example an app to filter SMTP, IMAP, http traffic?


If you attach an IP address to the bridge interface you can bind whatever you want on that address.

You seem to have some trouble with the different OSI layers and their function. I suggest reading up on it.


----------



## overmind (Sep 24, 2009)

Basicaly I understand it. Layer2 works with ethernet frames and switched network traffic, layer 3-4 for IP up to layer 7, which is app layer.

The thing is some friends of mine say it is possible to setup a bridge FreeBSD box as a http proxy + http antivirus, or as imap, smtp antivirus and put that box between lan and router or between ISP line and router, and this setup to work properly.

If this setup is possible how can be done?

I only thought is possible to put a http proxy with transparent proxy (and with http proxy antivirus) on a router so all traffic from lan will be redirected transparently from the router to a http proxy on the same box and then the answer to be sent back to lan client.

The same for email antivirus. The only setup I could think of is to redirect mail server (the domain/ip that is setup as MX) to a box and port where I have an email antivirus that in the end will send email to the mail server.

(I don't think I've clearly explained some things, I will do some more research and I'll come back then with questions.)

Thank you for your quick replies.


----------



## SirDice (Sep 24, 2009)

A http transparent proxy is probably the simplest to setup. There really is no need to bridge the interfaces for that. The proxy is going to sit on the edge of your network anyway so you might as well use the 'normal' network segments. 

As for email scanning I'm a firm believer of the store-and-forward principle. You setup an email server which everybody must to use, scanning is done on that server and the server will decide to forward the email or not.

I'm also somebody that likes to separate functionality as much as possible, so I would use separate boxes for email and web traffic. Budgets may prevent that unfortunately but the companies I worked for usually didn't have a problem with it (they actually dictated it).


----------



## overmind (Sep 24, 2009)

The problem is that they have ADSL modem + router, all in one device, and they do not want to add another router behind adsl router.

I will test some setup with a bridged FreeBSD box behind ADSL router, with http traffic forwarded to a http proxy and will come back and share the experience. And the same for the other services.

Is there any content filter application that is better than dansguardian?

Thank you SirDice


----------



## SirDice (Sep 24, 2009)

I have an ADSL modem+router too, I managed to configure mine to use SIP spoofing. This means I get my public IP address directly on my fbsd box with DHCP. All NAT and firewalling is done there.


----------



## Old-Oak (Sep 25, 2009)

Hey there...

I am actually testing the whole situation as described above right now. What i have in mind is a bridged box that does some transparent proxy through (squid). I don't want to use different ip ranges on the two sides of the box, what you normally would do with NAT or divert or two nics, so therefor i use the bridging option. I like the option that you can setup the bridged box everywhere where you want, without reconfigure clients. So the packets flow through without notice to the clients. You can choose to give the bridged box an ip address or not.

This works good and i have the box standing between my router and my LAN. You can do ipfw firewall rules, and can choose layer2 or on the nic devices itself. (bridge0 or em0/rl0), however i have one *big* problem that's itching my for some days now.

I use a ipfw fwd rule 

*ipfw add 00100 fwd 127.0.0.1,3128 tcp from not me to any 80 *

to forward all http-traffic to the squid deamon on port 3128). This is not working on the bridged box  

However on an other box (without bridging) it works as done before by many people. Thus say a normal transparent proxy with different ip ranges on the interfaces and in my case NAT rules. If i use a forward rule on the bridged box 

*ipfw add 00100 fwd ip.otherbox,3128 tcp from not me to any 80*

and setup on the otherbox also a rule to point to the loopback (127.0.0.1), i can forward the traffic from the bridged box to the otherbox which runs squid. But i can't forward the traffic to the loopback interface of the bridged box itself.

I've noticed that with *ipfw show* the forward is done and that the packets are picked up by the rule, but when i ran tcpdump on the 127.0.0.1 address on the bridged box, packets are never arrived.

Am i missing something...?? any ideas...??

--
~ Old-Oak ~


----------



## DutchDaemon (Sep 25, 2009)

I don't know how this work with ipfw, but with pf you *must* add a route-to rule for transparent proxying on a bridge.

e.g.

```
rdr on $if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
pass in quick on $if [B]route-to lo0[/B] inet proto tcp from any to 127.0.0.1 port 3128 keep state
```


----------



## Old-Oak (Sep 28, 2009)

Thanks for the tip. I was not aware of such a mechanism.
I don't know much about *pf* (yet), but i will try it as soon as i got time and post the results back here.

~Old-Oak~


----------

