Other Possible to bridge interfaces but block all IP?

Hi.

Would it somehow be possible to bride two nics with FreeBSD, and block all IP-communication but allow all other protocols?

Or even better still, allow some specific protocols.
 
The FreeBSD Handbook has some good examples of network bridges and different types of bridges:
https://www.freebsd.org/doc/en/books/handbook/network-bridging.html

You can use PF to block any service not explicitly listed in a table. This could be a sample pf.conf for you to work from:
tcp_services = "{ ssh, http, https, ldap, ldaps, ndb, nfsd, jetdirect }"
udp_services = "{ domain, nfsd, iax, radius, isakmp, sae-urn }"
pass in inet proto udp from any to any port $udp_services
pass in inet proto tcp from any to any port $tcp_services

Of course that's assuming your kernel will be blocking by default. The kernel option PF_DEFAULT_TO_DROP would accomplish this. You could add a "block in log all" up top to do this as well. This would log incoming IP packets that do not match your list of UDP or TCP services.
 
You can use PF to block any service not explicitly listed in a table. This could be a sample pf.conf for you to work from:
tcp_services = "{ ssh, http, https, ldap, ldaps, ndb, nfsd, jetdirect }"
udp_services = "{ domain, nfsd, iax, radius, isakmp, sae-urn }"
pass in inet proto udp from any to any port $udp_services
pass in inet proto tcp from any to any port $tcp_services

Wouldn't this block certain IP-based services, only? I would want to block all IPv4 and all IPv6 traffic, but allow others protocols. Like Apple's AppleTalk (EtherTalk), Novell's IPX, Banyan VINES, NetBEUI, DLC/LLC, IBM SNA and OSI/ISO.

Or am I missing your point?
 
Those are "allow" rules. I misunderstood your question. PF would only be useful for shaping and filtering IP-based traffic.

If you want to block all IPv4 and IPv6 traffic, why not just not assign an IPv4 or IPv6 address to your bridge?
 
But as it's a bridge it would still shuffle ip-packets between the interfaces. With or without ip-address. :/
 
I had assumed you wanted to pass Apple Talk or IPX between your bridges. PF would allow you to block IP traffic into the machine itself while allowing you to pass IP traffic between the NIC's. I think this might do it:

nic1_ip=...
nic2_ip=...

block inet from any to nic1_ip
block inet from any to nic2_ip

If you want your traffic to flow through the bridge but not actually communicate with the system.
 
I thought I was clear enought , but let me pull out mspaint.exe ... :)

protocolx.gif
 
Back
Top