# transparent/bridged firewall plus squid/privoxy/bind in jails?



## Erratus (Apr 30, 2013)

I'm experimenting with a dual NIC box running Squid, Privoxy and PF packet filter on it.

I've learned, that packet filters are ultimate safe, when they are transparent between two interfaces showing no IP to either side, which is called a bridged firewall. Now correct me, if I'm wrong, but such a bridge could be given an IP-adress on one interface for setting it up and maintaining it (which of course would make it attackable, at least temporarily as long as an IP is setup and enabeled)? Or in other words: can an interface which is set up as a bridge, have a IP-adress on one side?

If this is possible, I might go a step further: I like to know if is possible running additional appliances on a box primarily set up as a bridge? I. E. can privoxy and squid run on it too, when running each in a jail with an IP? 

Any hints are welcome, adding some surplus to a plain bridged firewall.


----------



## kpa (Apr 30, 2013)

You have some things confused. The main one is that having an IP address does not necessarily make a host attackable if you filter everything properly.


----------



## Erratus (Apr 30, 2013)

I'm not confused about that. A plain bridged packet filter is a box with two interfaces and no IP, therefore it cannot be attacked/configured from either side.

My situation is, that I want to experiment with a bridge, using a ready FreeBSD-box with dual NICs without dropping the appliances running on it. So the question for me is, can I convert this box into a bridge without dropping the other stuff on it as described above? 

Doing so I know about increasing the risk of the bridge becoming attackable, which configuration otherwise could not be attacked (except DoS). Hope this is more understandable.


----------



## kpa (Apr 30, 2013)

Well, what I would do is to assign a private RFC 1918 address on the bridge or one of the interfaces on the bridge, preferably LAN. The address would be completely unreachable outside the broadcast domain of the bridged network (since the upstream router does not have a matching address on its "LAN" interface) and reachable on the bridged network only if you know the address in advance. You can then restrict the access to this address so that it can not be reached from the "WAN" side of the bridged network.


----------



## Erratus (May 1, 2013)

Ok, so part1 is confirmed. What about part2? Can the LAN-side interface be shared too with the IPs of jails of Squid, etc.?


----------

