IPFire bridge mode hack

vincentmli · 18 October 2024 18:37

While developing Suricata IPS in XDP mode feature for BPFire, I realized all the IPFire firewall will stop working because Suricata IPS in XDP mode actually works as network bridge and works as hidden inline layer 2 device, then I found someone actually asked IPFire bridge mode in this thread Bridge mode or not?.

actually you can hack IPFire in bridge mode by assigning static IP/MASK 0.0.0.0/0.0.0.0 to red0 and green0 interface with setup command, then reboot, and IPFire dhcp still stop working due to no IP. address assigned to green0 interface, which was the user want, and the green network client would get dhcp from upstream DHCP server, you can run Suricata in IPS AF PACKET mode which is sort of like bridging red0 and green0 interface, so it can do inline packet instrusion detection, of course no firewall capability though I think. anyway, just share the info

vincero · 18 October 2024 21:08

Might be useful for some but the potential lack of firewalling might be equally undesired.

Due to the inherent incapability of IPv4 to share a base IP address without using NAT or having the ISP provide a range of addresses (which I don’t think IPfire works as easily with - correct me if I’m wrong), you would still need to have another routing device after the IPFire box if working as a bridge - something you could potentially do as an all-in-one solution using more than 1 instance and hosting it on a hypervisor and using internal virtual adapters to cover the passing the traffic from the bridged WAN connection to the next IPFire red interface.

On the other hand, with IPv6 and the possibility of ISPs providing /56 /60 /64 routed subnets and essentially no NAT being done by the gateway device, IPFire is going to have to morph in to doing this & effectively becoming a firewall/IPS device and just assisting with DHCP allocation within those ranges on IPv6, whilst also doing NAT routing on IPv4… fun for the devs.
Luckily I don’t have an ISP with effective proper IPv6 allocation** going on otherwise honestly I’d probably have to be using OpnSense.

** = I basically have the choice of either A) a public IPv4 address and NO IPv6 or B) a CGNAT IPv4 with IPv6 (which by default appears to be a /64 range) which is hard to work with for what I want.

vincentmli · 19 October 2024 00:29

running Suricata in IPS NFQ mode which is provided by the netfilter, the firewall might still work, I am not sure though

vincentmli · 20 October 2024 17:03

With multi XDP attachment capability I developed with Suricata, some simple firewall features could be migrated to XDP, of course no stateful firewall feature available, just hack for fun https://youtu.be/bQk6wantL5U?si=R73ajmndRDTC3hdq


      *********        GW:172.16.1.1/24   +-----------------+                   +---+
    **         **                         | Inline          |               +---+   |
  **             **       +---------+     |                 |               |   +---+
 *                 *      | ISP     |     |      0.0.0.0/0  | 172.16.1.0/24 |     +---+
 *   Internet      *<---->+ Modem   <---->+red0       green0+---------------+-----+   | 172.16.1.28/24
 *                 *      | Router  |     |0.0.0.0/0        |               |     |   |
  **             **       | dhcp    |     |GW:172.16.1.1/24 |               |     +---+
    **         **         +----+----+     |                 |               |      +---+
      *********                |          | Suricata Multi  |               |      |   |
                               |          | XDP bridge mode |               +------+   |
                               |          |                 |                      |   |
                               |          ++----orange0-----+                      +---+
                               |                   |
                               +-------------------+  172.16.1.39/24
~