#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2018-12-08 14:45-0200\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. Put one translator per line, in the form NAME <EMAIL>, YEAR1, YEAR2
msgctxt "_"
msgid "translator-credits"
msgstr ""

#. (itstool) path: info/title
#: article.translate.xml:4
msgid "Filtering Bridges"
msgstr ""

#. (itstool) path: affiliation/address
#: article.translate.xml:9
#, no-wrap
msgid "<email>ale@FreeBSD.org</email>"
msgstr ""

#. (itstool) path: authorgroup/author
#: article.translate.xml:8
msgid ""
"<personname><firstname>Alex</firstname><surname>Dupre</surname></"
"personname><affiliation> <_:address-1/> </affiliation>"
msgstr ""

#. (itstool) path: legalnotice/para
#: article.translate.xml:14
msgid "FreeBSD is a registered trademark of the FreeBSD Foundation."
msgstr ""

#. (itstool) path: legalnotice/para
#: article.translate.xml:16
msgid "3Com and HomeConnect are registered trademarks of 3Com Corporation."
msgstr ""

#. (itstool) path: legalnotice/para
#: article.translate.xml:18
msgid ""
"Intel, Celeron, Centrino, Core, EtherExpress, i386, i486, Itanium, Pentium, "
"and Xeon are trademarks or registered trademarks of Intel Corporation or its "
"subsidiaries in the United States and other countries."
msgstr ""

#. (itstool) path: legalnotice/para
#: article.translate.xml:22
msgid ""
"Many of the designations used by manufacturers and sellers to distinguish "
"their products are claimed as trademarks. Where those designations appear in "
"this document, and the FreeBSD Project was aware of the trademark claim, the "
"designations have been followed by the <quote>™</quote> or the <quote>®</"
"quote> symbol."
msgstr ""

#. (itstool) path: info/pubdate
#. (itstool) path: info/releaseinfo
#: article.translate.xml:30 article.translate.xml:32
msgid ""
"$FreeBSD: head/en_US.ISO8859-1/articles/filtering-bridges/article.xml 44681 "
"2014-04-28 20:19:20Z wblock $"
msgstr ""

#. (itstool) path: abstract/para
#: article.translate.xml:35
msgid ""
"Often it is useful to divide one physical network (like an Ethernet) into "
"two separate segments without having to create subnets, and use a router to "
"link them together. The device that connects the two networks in this way is "
"called a bridge. A FreeBSD system with two network interfaces is enough in "
"order to act as a bridge."
msgstr ""

#. (itstool) path: abstract/para
#: article.translate.xml:41
msgid ""
"A bridge works by scanning the addresses of <acronym>MAC</acronym> level "
"(Ethernet addresses) of the devices connected to each of its network "
"interfaces and then forwarding the traffic between the two networks only if "
"the source and the destination are on different segments. Under many points "
"of view a bridge is similar to an Ethernet switch with only two ports."
msgstr ""

#. (itstool) path: sect1/title
#: article.translate.xml:51
msgid "Why use a filtering bridge?"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:53
msgid ""
"More and more frequently, thanks to the lowering costs of broad band "
"Internet connections (xDSL) and also because of the reduction of available "
"IPv4 addresses, many companies are connected to the Internet 24 hours on 24 "
"and with few (sometimes not even a power of 2) IP addresses. In these "
"situations it is often desirable to have a firewall that filters incoming "
"and outgoing traffic from and towards Internet, but a packet filtering "
"solution based on router may not be applicable, either due to subnetting "
"issues, the router is owned by the connectivity supplier (<acronym>ISP</"
"acronym>), or because it does not support such functionalities. In these "
"scenarios the use of a filtering bridge is highly advised."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:65
msgid ""
"A bridge-based firewall can be configured and inserted between the xDSL "
"router and your Ethernet hub/switch without any IP numbering issues."
msgstr ""

#. (itstool) path: sect1/title
#: article.translate.xml:71
msgid "How to Install"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:73
msgid ""
"Adding bridge functionalities to a FreeBSD system is not difficult. Since 4."
"5 release it is possible to load such functionalities as modules instead of "
"having to rebuild the kernel, simplifying the procedure a great deal. In the "
"following subsections I will explain both installation ways."
msgstr ""

#. (itstool) path: important/para
#: article.translate.xml:80
msgid ""
"<emphasis>Do not</emphasis> follow both instructions: a procedure "
"<emphasis>excludes</emphasis> the other one. Select the best choice "
"according to your needs and abilities."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:85
msgid ""
"Before going on, be sure to have at least two Ethernet cards that support "
"the promiscuous mode for both reception and transmission, since they must be "
"able to send Ethernet packets with any address, not just their own. "
"Moreover, to have a good throughput, the cards should be PCI bus mastering "
"cards. The best choices are still the Intel <trademark>EtherExpress</"
"trademark> Pro, followed by the <trademark class=\"registered\">3Com</"
"trademark> 3c9xx series. To simplify the firewall configuration it may be "
"useful to have two cards of different manufacturers (using different "
"drivers) in order to distinguish clearly which interface is connected to the "
"router and which to the inner network."
msgstr ""

#. (itstool) path: sect2/title
#: article.translate.xml:97
msgid "Kernel Configuration"
msgstr ""

#. (itstool) path: sect2/para
#: article.translate.xml:99
msgid ""
"So you have decided to use the older but well tested installation method. To "
"begin, you have to add the following rows to your kernel configuration file:"
msgstr ""

#. (itstool) path: sect2/programlisting
#: article.translate.xml:103
#, no-wrap
msgid "options BRIDGE\n"
"options IPFIREWALL\n"
"options IPFIREWALL_VERBOSE"
msgstr ""

#. (itstool) path: sect2/para
#: article.translate.xml:107
msgid ""
"The first line is to compile the bridge support, the second one is the "
"firewall and the third one is the logging functions of the firewall."
msgstr ""

#. (itstool) path: sect2/para
#: article.translate.xml:111
msgid ""
"Now it is necessary to build and install the new kernel. You may find "
"detailed instructions in the <link xlink:href=\"@@URL_RELPREFIX@@/doc/en_US."
"ISO8859-1/books/handbook/kernelconfig-building.html\">Building and "
"Installing a Custom Kernel</link> section of the FreeBSD Handbook."
msgstr ""

#. (itstool) path: sect2/title
#: article.translate.xml:118
msgid "Modules Loading"
msgstr ""

#. (itstool) path: sect2/para
#: article.translate.xml:120
msgid ""
"If you have chosen to use the new and simpler installation method, the only "
"thing to do now is add the following row to <filename>/boot/loader.conf</"
"filename>:"
msgstr ""

#. (itstool) path: sect2/programlisting
#: article.translate.xml:124
#, no-wrap
msgid "bridge_load=\"YES\""
msgstr ""

#. (itstool) path: sect2/para
#: article.translate.xml:126
msgid ""
"In this way, during the system startup, the <filename>bridge.ko</filename> "
"module will be loaded together with the kernel. It is not required to add a "
"similar row for the <filename>ipfw.ko</filename> module, since it will be "
"loaded automatically after the execution of the steps in the following "
"section."
msgstr ""

#. (itstool) path: sect1/title
#: article.translate.xml:136
msgid "Final Preparation"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:138
msgid ""
"Before rebooting in order to load the new kernel or the required modules "
"(according to the previously chosen installation method), you have to make "
"some changes to the <filename>/etc/rc.conf</filename> configuration file. "
"The default rule of the firewall is to reject all IP packets. Initially we "
"will set up an <option>open</option> firewall, in order to verify its "
"operation without any issue related to packet filtering (in case you are "
"going to execute this procedure remotely, such configuration will avoid you "
"to remain isolated from the network). Put these lines in <filename>/etc/rc."
"conf</filename>:"
msgstr ""

#. (itstool) path: sect1/programlisting
#: article.translate.xml:148
#, no-wrap
msgid ""
"firewall_enable=\"YES\"\n"
"firewall_type=\"open\"\n"
"firewall_quiet=\"YES\"\n"
"firewall_logging=\"YES\""
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:153
msgid ""
"The first row will enable the firewall (and will load the module "
"<filename>ipfw.ko</filename> if it is not compiled in the kernel), the "
"second one to set up it in <option>open</option> mode (as explained in "
"<filename>/etc/rc.firewall</filename>), the third one to not show rules "
"loading and the fourth one to enable logging support."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:159
msgid ""
"About the configuration of the network interfaces, the most used way is to "
"assign an IP to only one of the network cards, but the bridge will work "
"equally even if both interfaces or none has a configured IP. In the last "
"case (IP-less) the bridge machine will be still more hidden, as inaccessible "
"from the network: to configure it, you have to login from console or through "
"a third network interface separated from the bridge. Sometimes, during the "
"system startup, some programs require network access, say for domain "
"resolution: in this case it is necessary to assign an IP to the external "
"interface (the one connected to Internet, where <acronym>DNS</acronym> "
"server resides), since the bridge will be activated at the end of the "
"startup procedure. It means that the <filename>fxp0</filename> interface (in "
"our case) must be mentioned in the ifconfig section of the <filename>/etc/rc."
"conf</filename> file, while the <filename>xl0</filename> is not. Assigning "
"an IP to both the network cards does not make much sense, unless, during the "
"start procedure, applications should access to services on both Ethernet "
"segments."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:177
msgid ""
"There is another important thing to know. When running IP over Ethernet, "
"there are actually two Ethernet protocols in use: one is IP, the other is "
"<acronym>ARP</acronym>. <acronym>ARP</acronym> does the conversion of the IP "
"address of a host into its Ethernet address (<acronym>MAC</acronym> layer). "
"In order to allow the communication between two hosts separated by the "
"bridge, it is necessary that the bridge will forward <acronym>ARP</acronym> "
"packets. Such protocol is not included in the IP layer, since it exists only "
"with IP over Ethernet. The FreeBSD firewall filters exclusively on the IP "
"layer and therefore all non-IP packets (<acronym>ARP</acronym> included) "
"will be forwarded without being filtered, even if the firewall is configured "
"to not permit anything."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:190
msgid ""
"Now it is time to reboot the system and use it as before: there will be some "
"new messages about the bridge and the firewall, but the bridge will not be "
"activated and the firewall, being in <option>open</option> mode, will not "
"avoid any operations."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:195
msgid ""
"If there are any problems, you should sort them out now before proceeding."
msgstr ""

#. (itstool) path: sect1/title
#: article.translate.xml:200
msgid "Enabling the Bridge"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:202
msgid ""
"At this point, to enable the bridge, you have to execute the following "
"commands (having the shrewdness to replace the names of the two network "
"interfaces <filename>fxp0</filename> and <filename>xl0</filename> with your "
"own ones):"
msgstr ""

#. (itstool) path: sect1/screen
#: article.translate.xml:207
#, no-wrap
msgid ""
"<prompt>#</prompt> <userinput>sysctl net.link.ether.bridge.config=fxp0:0,xl0:"
"0</userinput>\n"
"<prompt>#</prompt> <userinput>sysctl net.link.ether.bridge.ipfw=1</"
"userinput>\n"
"<prompt>#</prompt> <userinput>sysctl net.link.ether.bridge.enable=1</"
"userinput>"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:211
msgid ""
"The first row specifies which interfaces should be activated by the bridge, "
"the second one will enable the firewall on the bridge and finally the third "
"one will enable the bridge."
msgstr ""

#. (itstool) path: note/para
#: article.translate.xml:216
msgid ""
"If you have FreeBSD 5.1-RELEASE or previous the sysctl variables are spelled "
"differently. See <citerefentry><refentrytitle>bridge</"
"refentrytitle><manvolnum>4</manvolnum></citerefentry> for details."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:220
msgid ""
"At this point you should be able to insert the machine between two sets of "
"hosts without compromising any communication abilities between them. If so, "
"the next step is to add the <literal>net.link.ether.bridge."
"<replaceable>[blah]</replaceable>=<replaceable>[blah]</replaceable></"
"literal> portions of these rows to the <filename>/etc/sysctl.conf</filename> "
"file, in order to have them execute at startup."
msgstr ""

#. (itstool) path: sect1/title
#: article.translate.xml:229
msgid "Configuring The Firewall"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:231
msgid ""
"Now it is time to create your own file with custom firewall rules, in order "
"to secure the inside network. There will be some complication in doing this "
"because not all of the firewall functionalities are available on bridged "
"packets. Furthermore, there is a difference between the packets that are in "
"the process of being forwarded and packets that are being received by the "
"local machine. In general, incoming packets are run through the firewall "
"only once, not twice as is normally the case; in fact they are filtered only "
"upon receipt, so rules that use <option>out</option> or <option>xmit</"
"option> will never match. Personally, I use <option>in via</option> which is "
"an older syntax, but one that has a sense when you read it. Another "
"limitation is that you are restricted to use only <option>pass</option> or "
"<option>drop</option> commands for packets filtered by a bridge. "
"Sophisticated things like <option>divert</option>, <option>forward</option> "
"or <option>reject</option> are not available. Such options can still be "
"used, but only on traffic to or from the bridge machine itself (if it has an "
"IP address)."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:247
msgid ""
"New in FreeBSD 4.0, is the concept of stateful filtering. This is a big "
"improvement for <acronym>UDP</acronym> traffic, which typically is a request "
"going out, followed shortly thereafter by a response with the exact same set "
"of IP addresses and port numbers (but with source and destination reversed, "
"of course). For firewalls that have no statekeeping, there is almost no way "
"to deal with this sort of traffic as a single session. But with a firewall "
"that can <quote>remember</quote> an outgoing <acronym>UDP</acronym> packet "
"and, for the next few minutes, allow a response, handling <acronym>UDP</"
"acronym> services is trivial. The following example shows how to do it. It "
"is possible to do the same thing with <acronym>TCP</acronym> packets. This "
"allows you to avoid some denial of service attacks and other nasty tricks, "
"but it also typically makes your state table grow quickly in size."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:261
msgid ""
"Let's look at an example setup. Note first that at the top of <filename>/etc/"
"rc.firewall</filename> there are already standard rules for the loopback "
"interface <filename>lo0</filename>, so we should not have to care for them "
"anymore. Custom rules should be put in a separate file (say <filename>/etc/"
"rc.firewall.local</filename>) and loaded at system startup, by modifying the "
"row of <filename>/etc/rc.conf</filename> where we defined the <option>open</"
"option> firewall:"
msgstr ""

#. (itstool) path: sect1/programlisting
#: article.translate.xml:270
#, no-wrap
msgid "firewall_type=\"/etc/rc.firewall.local\""
msgstr ""

#. (itstool) path: important/para
#: article.translate.xml:273
msgid ""
"You have to specify the <emphasis>full</emphasis> path, otherwise it will "
"not be loaded with the risk to remain isolated from the network."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:278
msgid ""
"For our example imagine to have the <filename>fxp0</filename> interface "
"connected towards the outside (Internet) and the <filename>xl0</filename> "
"towards the inside (<acronym>LAN</acronym>). The bridge machine has the IP "
"<systemitem class=\"ipaddress\">1.2.3.4</systemitem> (it is not possible "
"that your <acronym>ISP</acronym> can give you an address quite like this, "
"but for our example it is good)."
msgstr ""

#. (itstool) path: sect1/programlisting
#: article.translate.xml:285
#, no-wrap
msgid ""
"# Things that we have kept state on before get to go through in a hurry\n"
"add check-state\n"
"\n"
"# Throw away RFC 1918 networks\n"
"add drop all from 10.0.0.0/8 to any in via fxp0\n"
"add drop all from 172.16.0.0/12 to any in via fxp0\n"
"add drop all from 192.168.0.0/16 to any in via fxp0\n"
"\n"
"# Allow the bridge machine to say anything it wants\n"
"# (if the machine is IP-less do not include these rows)\n"
"add pass tcp from 1.2.3.4 to any setup keep-state\n"
"add pass udp from 1.2.3.4 to any keep-state\n"
"add pass ip from 1.2.3.4 to any\n"
"\n"
"# Allow the inside hosts to say anything they want\n"
"add pass tcp from any to any in via xl0 setup keep-state\n"
"add pass udp from any to any in via xl0 keep-state\n"
"add pass ip from any to any in via xl0\n"
"\n"
"# TCP section\n"
"# Allow SSH\n"
"add pass tcp from any to any 22 in via fxp0 setup keep-state\n"
"# Allow SMTP only towards the mail server\n"
"add pass tcp from any to relay 25 in via fxp0 setup keep-state\n"
"# Allow zone transfers only by the slave name server [dns2.nic.it]\n"
"add pass tcp from 193.205.245.8 to ns 53 in via fxp0 setup keep-state\n"
"# Pass ident probes.  It is better than waiting for them to timeout\n"
"add pass tcp from any to any 113 in via fxp0 setup keep-state\n"
"# Pass the \"quarantine\" range\n"
"add pass tcp from any to any 49152-65535 in via fxp0 setup keep-state\n"
"\n"
"# UDP section\n"
"# Allow DNS only towards the name server\n"
"add pass udp from any to ns 53 in via fxp0 keep-state\n"
"# Pass the \"quarantine\" range\n"
"add pass udp from any to any 49152-65535 in via fxp0 keep-state\n"
"\n"
"# ICMP section\n"
"# Pass 'ping'\n"
"add pass icmp from any to any icmptypes 8 keep-state\n"
"# Pass error messages generated by 'traceroute'\n"
"add pass icmp from any to any icmptypes 3\n"
"add pass icmp from any to any icmptypes 11\n"
"\n"
"# Everything else is suspect\n"
"add drop log all from any to any"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:332
msgid ""
"Those of you who have set up firewalls before may notice some things missing."
" In particular, there are no anti-spoofing rules, in fact we did "
"<emphasis>not</emphasis> add:"
msgstr ""

#. (itstool) path: sect1/programlisting
#: article.translate.xml:336
#, no-wrap
msgid "add deny all from 1.2.3.4/8 to any in via fxp0"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:338
msgid ""
"That is, drop packets that are coming in from the outside claiming to be "
"from our network. This is something that you would commonly do to be sure "
"that someone does not try to evade the packet filter, by generating "
"nefarious packets that look like they are from the inside. The problem with "
"that is that there is <emphasis>at least</emphasis> one host on the outside "
"interface that you do not want to ignore: the router. But usually, the "
"<acronym>ISP</acronym> anti-spoofs at their router, so we do not need to "
"bother that much."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:347
msgid ""
"The last rule seems to be an exact duplicate of the default rule, that is, "
"do not let anything pass that is not specifically allowed. But there is a "
"difference: all suspected traffic will be logged."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:351
msgid ""
"There are two rules for passing <acronym>SMTP</acronym> and <acronym>DNS</"
"acronym> traffic towards the mail server and the name server, if you have "
"them. Obviously the whole rule set should be flavored to personal taste, "
"this is only a specific example (rule format is described accurately in the "
"<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></"
"citerefentry> man page). Note that in order for <quote>relay</quote> and "
"<quote>ns</quote> to work, name service lookups must work <emphasis>before</"
"emphasis> the bridge is enabled. This is an example of making sure that you "
"set the IP on the correct network card. Alternatively it is possible to "
"specify the IP address instead of the host name (required if the machine is "
"IP-less)."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:362
msgid ""
"People that are used to setting up firewalls are probably also used to "
"either having a <option>reset</option> or a <option>forward</option> rule "
"for ident packets (<acronym>TCP</acronym> port 113). Unfortunately, this is "
"not an applicable option with the bridge, so the best thing is to simply "
"pass them to their destination. As long as that destination machine is not "
"running an ident daemon, this is relatively harmless. The alternative is "
"dropping connections on port 113, which creates some problems with services "
"like <acronym>IRC</acronym> (the ident probe must timeout)."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:372
msgid ""
"The only other thing that is a little weird that you may have noticed is "
"that there is a rule to let the bridge machine speak, and another for "
"internal hosts. Remember that this is because the two sets of traffic will "
"take different paths through the kernel and into the packet filter. The "
"inside net will go through the bridge, while the local machine will use the "
"normal IP stack to speak. Thus the two rules to handle the different cases. "
"The <literal>in via fxp0</literal> rules work for both paths. In general, if "
"you use <option>in via</option> rules throughout the filter, you will need "
"to make an exception for locally generated packets, because they did not "
"come in via any of our interfaces."
msgstr ""

#. (itstool) path: sect1/title
#: article.translate.xml:386
msgid "Contributors"
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:388
msgid ""
"Many parts of this article have been taken, updated and adapted from an old "
"text about bridging, edited by Nick Sayer. A pair of inspirations are due to "
"an introduction on bridging by Steve Peterson."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:392
msgid ""
"A big thanks to Luigi Rizzo for the implementation of the bridge code in "
"FreeBSD and for the time he has dedicated to me answering all of my related "
"questions."
msgstr ""

#. (itstool) path: sect1/para
#: article.translate.xml:396
msgid ""
"A thanks goes out also to Tom Rhodes who looked over my job of translation "
"from Italian (the original language of this article) into English."
msgstr ""