path: root/documentation/content/es/articles/filtering-bridges/_index.po

# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR The FreeBSD Project
# This file is distributed under the same license as the FreeBSD Documentation package.
# Fernando  Apesteguía <fernando.apesteguia@gmail.com>, 2021, 2022.
msgid ""
msgstr ""
"Project-Id-Version: FreeBSD Documentation VERSION\n"
"POT-Creation-Date: 2022-02-01 09:21-0300\n"
"PO-Revision-Date: 2022-07-11 11:54+0000\n"
"Last-Translator: Fernando  Apesteguía <fernando.apesteguia@gmail.com>\n"
"Language-Team: Spanish <https://translate-dev.freebsd.org/projects/"
"documentation/articlesfiltering-bridges_index/es/>\n"
"Language: es\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
"X-Generator: Weblate 4.10.1\n"

#. type: YAML Front Matter: description
#: documentation/content/en/articles/filtering-bridges/_index.adoc:1
#, no-wrap
msgid "Configuring firewalls and filtering on FreeBSD hosts acting as bridges rather than routers"
msgstr "Configurando firewalls y filtrando en hosts FreeBSD que actúan como bridges en lugar de routers"

#. type: Title =
#: documentation/content/en/articles/filtering-bridges/_index.adoc:1
#: documentation/content/en/articles/filtering-bridges/_index.adoc:11
#, no-wrap
msgid "Filtering Bridges"
msgstr "Bridges de Filtrado"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:44
msgid "Abstract"
msgstr "Resumen"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:48
msgid ""
"Often it is useful to divide one physical network (like an Ethernet) into "
"two separate segments without having to create subnets, and use a router to "
"link them together.  The device that connects the two networks in this way "
"is called a bridge.  A FreeBSD system with two network interfaces is enough "
"in order to act as a bridge."
msgstr ""
"A menudo es útil dividir una red física (por ejemplo una Ethernet) en dos "
"segmentos separados sin tener que crear subredes y usar un router para "
"vincularlas. El dispositivo que conecta las dos redes se llama bridge. Un "
"sistema FreeBSD con dos interfaces de red es suficiente para actuar como "
"bridge."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:51
msgid ""
"A bridge works by scanning the addresses of MAC level (Ethernet addresses) "
"of the devices connected to each of its network interfaces and then "
"forwarding the traffic between the two networks only if the source and the "
"destination are on different segments.  Under many points of view a bridge "
"is similar to an Ethernet switch with only two ports."
msgstr ""
"Un bridge funciona escaneando las direcciones del nivel MAC (direcciones "
"Ethernet) de los dispositivos conectados a cada una de sus interfaces de red "
"y luego reenvía el tráfico entre las dos redes solo si la fuente y el "
"destino están en diferentes segmentos. En muchos aspectos, un bridge es "
"similar a un switch de Ethernet con solo dos puertos."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:53
msgid "'''"
msgstr "'''"

#. type: Title ==
#: documentation/content/en/articles/filtering-bridges/_index.adoc:57
#, no-wrap
msgid "Why use a filtering bridge?"
msgstr "¿Por qué utilizar un bridge que haga filtrado?"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:62
msgid ""
"More and more frequently, thanks to the lowering costs of broad band "
"Internet connections (xDSL) and also because of the reduction of available "
"IPv4 addresses, many companies are connected to the Internet 24 hours on 24 "
"and with few (sometimes not even a power of 2) IP addresses.  In these "
"situations it is often desirable to have a firewall that filters incoming "
"and outgoing traffic from and towards Internet, but a packet filtering "
"solution based on router may not be applicable, either due to subnetting "
"issues, the router is owned by the connectivity supplier (ISP), or because "
"it does not support such functionalities.  In these scenarios the use of a "
"filtering bridge is highly advised."
msgstr ""
"Sucede con bastante frecuencia que, gracias a la reducción del coste de las "
"conexiones de banda ancha a Internet (xDSL) y a la reducción de las "
"direcciones IPv4 disponibles, muchas empresas están conectadas a Internet "
"las 24 horas del día y con pocas (a veces ni siquiera dos) direcciones IP. A "
"menudo en estas situaciones es necesario tener un firewall (también conocido "
"como cortafuegos) que filtre el tráfico entrante y saliente desde y hacia "
"Internet, pero una solución de filtrado de paquetes puede que no sea "
"posible, ya sea por problemas de subredes, porque el router sea de propiedad "
"del proveedor de servicios de internet (ISP), o porque no admite tales "
"funcionalidades. En escenarios como estos se recomienda el uso de un brigde "
"que realice el filtrado."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:64
msgid ""
"A bridge-based firewall can be configured and inserted between the xDSL "
"router and your Ethernet hub/switch without any IP numbering issues."
msgstr ""
"Una buena solución sería configurar un firewall basado en un bridge. Lo "
"instalaremos entre el router xDSL y su hub/switch Ethernet, evitando así "
"problemas de numeración IP."

#. type: Title ==
#: documentation/content/en/articles/filtering-bridges/_index.adoc:66
#, no-wrap
msgid "How to Install"
msgstr "Proceso de instalación"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:71
msgid ""
"Adding bridge functionalities to a FreeBSD system is not difficult.  Since "
"4.5 release it is possible to load such functionalities as modules instead "
"of having to rebuild the kernel, simplifying the procedure a great deal.  In "
"the following subsections I will explain both installation ways."
msgstr ""
"No es difícil añadir funcionalidades de brigde a un sistema FreeBSD. Desde "
"la versión 4.5 es posible cargar funcionalidades como módulos en lugar de "
"tener que volver a compilar el kernel, lo cual simplifica mucho el "
"procedimiento. En las siguientes subsecciones explicaré ambas formas de "
"instalación."

#. type: delimited block = 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:76
msgid ""
"_Do not_ follow both instructions: a procedure _excludes_ the other one.  "
"Select the best choice according to your needs and abilities."
msgstr ""
"_No sigas_ ambas instrucciones: un procedimiento _es excluyente_ con el "
"otro. Escoge la mejor opción de acuerdo a tus necesidades y habilidades."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:82
msgid ""
"Before going on, be sure to have at least two Ethernet cards that support "
"the promiscuous mode for both reception and transmission, since they must be "
"able to send Ethernet packets with any address, not just their own.  "
"Moreover, to have a good throughput, the cards should be PCI bus mastering "
"cards.  The best choices are still the Intel EtherExpress(TM) Pro, followed "
"by the 3Com(R) 3c9xx series.  To simplify the firewall configuration it may "
"be useful to have two cards of different manufacturers (using different "
"drivers) in order to distinguish clearly which interface is connected to the "
"router and which to the inner network."
msgstr ""
"Antes de continuar asegúrese de tener al menos dos tarjetas Ethernet que "
"admitan el modo promiscuo tanto para la recepción como para la transmisión, "
"ya que deben poder enviar paquetes Ethernet con cualquier dirección, no solo "
"la suya. Además, para tener una buena tasa de transferencia, las tarjetas "
"deben ser tarjetas del bus PCI. Las mejores opciones siguen siendo Intel "
"EtherExpress(TM) Pro, seguida de la 3Com(R) 3c9xx series. Para simplificar "
"la configuración del firewall, puede ser útil tener dos tarjetas de "
"diferentes fabricantes (con diferentes controladores) para distinguir "
"claramente qué interfaz está conectada al router y cuál a la red interna."

#. type: Title ===
#: documentation/content/en/articles/filtering-bridges/_index.adoc:84
#, no-wrap
msgid "Kernel Configuration"
msgstr "Configuración del kernel"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:88
msgid ""
"So you have decided to use the older but well tested installation method.  "
"To begin, you have to add the following rows to your kernel configuration "
"file:"
msgstr ""
"Si sigues este método es porque has decidido utilizar el método de "
"instalación más antiguo y también el que ha sido más probado. Para empezar, "
"debes agregar las siguientes líneas a tu archivo de configuración del kernel:"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:94
#, no-wrap
msgid ""
"options BRIDGE\n"
"options IPFIREWALL\n"
"options IPFIREWALL_VERBOSE\n"
msgstr ""
"options BRIDGE\n"
"options IPFIREWALL\n"
"options IPFIREWALL_VERBOSE\n"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:97
msgid ""
"The first line is to compile the bridge support, the second one is the "
"firewall and the third one is the logging functions of the firewall."
msgstr ""
"La primera línea añade el soporte para el bridge, la segunda añade la "
"compatibilidad con el firewall y la tercera se refiere a las funciones de "
"logging del firewall."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:100
msgid ""
"Now it is necessary to build and install the new kernel.  You may find "
"detailed instructions in the extref:{handbook}[Building and Installing a "
"Custom Kernel, kernelconfig-building] section of the FreeBSD Handbook."
msgstr ""
"Ahora es necesario construir e instalar el nuevo kernel. Puedes encontrar "
"información detallada en la sección extref:{handbook}[Building and "
"Installing a Custom Kernel, kernelconfig-building] del FreeBSD Handbook."

#. type: Title ===
#: documentation/content/en/articles/filtering-bridges/_index.adoc:102
#, no-wrap
msgid "Modules Loading"
msgstr "Carga de módulos"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:105
msgid ""
"If you have chosen to use the new and simpler installation method, the only "
"thing to do now is add the following row to [.filename]#/boot/loader.conf#:"
msgstr ""
"Si has elegido usar el nuevo método de instalación (más simple), lo único "
"que debes hacer es añadir la siguiente línea a [.filename]#/boot/loader."
"conf#::"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:109
#, no-wrap
msgid "bridge_load=\"YES\"\n"
msgstr "bridge_load=\"YES\"\n"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:113
msgid ""
"In this way, during the system startup, the [.filename]#bridge.ko# module "
"will be loaded together with the kernel.  It is not required to add a "
"similar row for the [.filename]#ipfw.ko# module, since it will be loaded "
"automatically after the execution of the steps in the following section."
msgstr ""
"Así el módulo [.filename]#bridge.ko#  se cargará junto con el kernel durante "
"el inicio del sistema. No es necesario añadir una línea similar para el "
"módulo [.filename]#ipfw.ko#, ya que se cargará automáticamente después de la "
"ejecución de los pasos de la siguiente sección."

#. type: Title ==
#: documentation/content/en/articles/filtering-bridges/_index.adoc:115
#, no-wrap
msgid "Final Preparation"
msgstr "Preparación final"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:121
msgid ""
"Before rebooting in order to load the new kernel or the required modules "
"(according to the previously chosen installation method), you have to make "
"some changes to the [.filename]#/etc/rc.conf# configuration file.  The "
"default rule of the firewall is to reject all IP packets.  Initially we will "
"set up an `open` firewall, in order to verify its operation without any "
"issue related to packet filtering (in case you are going to execute this "
"procedure remotely, such configuration will avoid you to remain isolated "
"from the network).  Put these lines in [.filename]#/etc/rc.conf#:"
msgstr ""
"Antes de reiniciar para cargar el nuevo kernel o los módulos requeridos (de "
"acuerdo con el método de instalación elegido anteriormente) debes realizar "
"algunos cambios en el archivo de configuración [.filename]#/etc/rc.conf#. La "
"regla predeterminada del firewall es rechazar todos los paquetes IP. "
"Inicialmente configuraremos un firewall en modo `open` para verificar que "
"funciona sin ningún problema en relación con el filtrado de paquetes (en el "
"caso de que vaya a ejecutar este procedimiento de forma remota dicha "
"configuración evitará que permanezca aislado de la red). Coloca estas líneas "
"en el archivo [.filename]#/etc/rc.conf#:"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:128
#, no-wrap
msgid ""
"firewall_enable=\"YES\"\n"
"firewall_type=\"open\"\n"
"firewall_quiet=\"YES\"\n"
"firewall_logging=\"YES\"\n"
msgstr ""
"firewall_enable=\"YES\"\n"
"firewall_type=\"open\"\n"
"firewall_quiet=\"YES\"\n"
"firewall_logging=\"YES\"\n"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:131
msgid ""
"The first row will enable the firewall (and will load the module [."
"filename]#ipfw.ko# if it is not compiled in the kernel), the second one to "
"set up it in `open` mode (as explained in [.filename]#/etc/rc.firewall#), "
"the third one to not show rules loading and the fourth one to enable logging "
"support."
msgstr ""
"La primera línea activará el firewall (y cargará el módulo [.filename]#ipfw."
"ko# si no está compilado en el kernel), la segunda lo configurará en modo "
"`open` (como se explica en el archivo <[.filename]#/etc/rc.firewall#), la "
"tercera hará que no se muestren la carga de las reglas y la cuarta "
"habilitará el soporte de logging."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:137
msgid ""
"About the configuration of the network interfaces, the most used way is to "
"assign an IP to only one of the network cards, but the bridge will work "
"equally even if both interfaces or none has a configured IP.  In the last "
"case (IP-less) the bridge machine will be still more hidden, as inaccessible "
"from the network: to configure it, you have to login from console or through "
"a third network interface separated from the bridge.  Sometimes, during the "
"system startup, some programs require network access, say for domain "
"resolution: in this case it is necessary to assign an IP to the external "
"interface (the one connected to Internet, where DNS server resides), since "
"the bridge will be activated at the end of the startup procedure.  It means "
"that the [.filename]#fxp0# interface (in our case) must be mentioned in the "
"ifconfig section of the [.filename]#/etc/rc.conf# file, while the [."
"filename]#xl0# is not.  Assigning an IP to both the network cards does not "
"make much sense, unless, during the start procedure, applications should "
"access to services on both Ethernet segments."
msgstr ""
"En cuanto a la configuración de las interfaces de red la forma más utilizada "
"es asignar solo una IP a una de las tarjetas de red; el bridge funcionará "
"igualmente, aunque ambas interfaces tengan una o no tengan ninguna IP "
"configurada. En el último caso (IP-less) la máquina bridge quedará aún más "
"oculta, ya que es inaccesible desde la red. Para configurarla, debes iniciar "
"sesión desde la consola o mediante una tercera interfaz de red separada del "
"bridge. A veces durante el inicio del sistema algunos programas requieren "
"acceso a la red, por ejemplo para la resolución del dominio. En este caso es "
"necesario asignar una IP a la interfaz externa (la que está conectada a "
"Internet, donde se encuentra el servidor DNS) ya que el bridge se activará "
"al final del procedimiento de arranque. Esto significa que la interfaz [."
"filename]#fxp0# (en nuestro caso) debe añadirse en la sección ifconfig del "
"archivo [.filename]#/etc/rc.conf#, mientras que [.filename]#fxp0# no. "
"Asignar una IP a ambas tarjetas de red no tiene mucho sentido, a menos que "
"durante el procedimiento de inicio las aplicaciones tengan que acceder a "
"servicios en ambos segmentos Ethernet."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:144
msgid ""
"There is another important thing to know.  When running IP over Ethernet, "
"there are actually two Ethernet protocols in use: one is IP, the other is "
"ARP.  ARP does the conversion of the IP address of a host into its Ethernet "
"address (MAC layer).  In order to allow the communication between two hosts "
"separated by the bridge, it is necessary that the bridge will forward ARP "
"packets.  Such protocol is not included in the IP layer, since it exists "
"only with IP over Ethernet.  The FreeBSD firewall filters exclusively on the "
"IP layer and therefore all non-IP packets (ARP included) will be forwarded "
"without being filtered, even if the firewall is configured to not permit "
"anything."
msgstr ""
"Hay otra cosa importante que hay que saber. Cuando se ejecuta IP over "
"Ethernet, en realidad hay dos protocolos Ethernet en uso: uno es IP, el otro "
"es ARP. ARP realiza la conversión de la dirección IP de un host a su "
"dirección de Ethernet (capa MAC). Para permitir la comunicación entre dos "
"hosts separados por el bridge, es necesario que el bridge reenvíe los "
"paquetes ARP. Dicho protocolo no está incluido en la capa IP, ya que solo "
"existe con IP over Ethernet. El firewall de FreeBSD filtra exclusivamente en "
"la capa IP y, por lo tanto, todos los paquetes no IP (ARP incluido) se "
"reenvían sin ser filtrados, aunque el firewall esté configurado para no "
"permitir nada."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:146
msgid ""
"Now it is time to reboot the system and use it as before: there will be some "
"new messages about the bridge and the firewall, but the bridge will not be "
"activated and the firewall, being in `open` mode, will not avoid any "
"operations."
msgstr ""
"Ahora es el momento de reiniciar el sistema y usarlo como antes: habrá "
"algunos mensajes nuevos sobre el bridge y el firewall, pero el bridge no se "
"activará y el firewall, en el modo `open`, no bloqueará ninguna operación."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:148
msgid ""
"If there are any problems, you should sort them out now before proceeding."
msgstr "Si hay algún problema, debes solucionarlo ahora antes de continuar."

#. type: Title ==
#: documentation/content/en/articles/filtering-bridges/_index.adoc:150
#, no-wrap
msgid "Enabling the Bridge"
msgstr "Habilitando el bridge"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:153
msgid ""
"At this point, to enable the bridge, you have to execute the following "
"commands (having the shrewdness to replace the names of the two network "
"interfaces [.filename]#fxp0# and [.filename]#xl0# with your own ones):"
msgstr ""
"En este momento para habilitar el bridge debes ejecutar los siguientes "
"comandos (no olvide reemplazar los nombres de las dos interfaces de red <[."
"filename]#fxp0# y [.filename]#xl0# por las suyas):"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:159
#, no-wrap
msgid ""
"# sysctl net.link.ether.bridge.config=fxp0:0,xl0:0\n"
"# sysctl net.link.ether.bridge.ipfw=1\n"
"# sysctl net.link.ether.bridge.enable=1\n"
msgstr ""
"# sysctl net.link.ether.bridge.config=fxp0:0,xl0:0\n"
"# sysctl net.link.ether.bridge.ipfw=1\n"
"# sysctl net.link.ether.bridge.enable=1\n"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:162
msgid ""
"The first row specifies which interfaces should be activated by the bridge, "
"the second one will enable the firewall on the bridge and finally the third "
"one will enable the bridge."
msgstr ""
"La primera línea especifica qué interfaces deben ser activadas por el "
"bridge, la segunda habilitará el firewall en el bridge y finalmente la "
"tercera habilitará el bridge."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:165
msgid ""
"At this point you should be able to insert the machine between two sets of "
"hosts without compromising any communication abilities between them.  If so, "
"the next step is to add the `net.link.ether.bridge._[blah]_=_[blah]_` "
"portions of these rows to the [.filename]#/etc/sysctl.conf# file, in order "
"to have them execute at startup."
msgstr ""
"En este punto deberías poder insertar la máquina entre dos conjuntos de "
"hosts sin comprometer las habilidades de comunicación entre ellas. Si es "
"así, el siguiente paso es añadir las partes `net.link.ether.bridge."
"_[blah]_=_[blah]_` de estas filas al fichero [.filename]#/etc/sysctl.conf# "
"para que se ejecuten en el arranque."

#. type: Title ==
#: documentation/content/en/articles/filtering-bridges/_index.adoc:167
#, no-wrap
msgid "Configuring The Firewall"
msgstr "Configurando el firewall"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:177
msgid ""
"Now it is time to create your own file with custom firewall rules, in order "
"to secure the inside network.  There will be some complication in doing this "
"because not all of the firewall functionalities are available on bridged "
"packets.  Furthermore, there is a difference between the packets that are in "
"the process of being forwarded and packets that are being received by the "
"local machine.  In general, incoming packets are run through the firewall "
"only once, not twice as is normally the case; in fact they are filtered only "
"upon receipt, so rules that use `out` or `xmit` will never match.  "
"Personally, I use `in via` which is an older syntax, but one that has a "
"sense when you read it.  Another limitation is that you are restricted to "
"use only `pass` or `drop` commands for packets filtered by a bridge.  "
"Sophisticated things like `divert`, `forward` or `reject` are not "
"available.  Such options can still be used, but only on traffic to or from "
"the bridge machine itself (if it has an IP address)."
msgstr ""
"Ahora es el momento de crear tu propio archivo de configuración con las "
"reglas personalizadas del firewall para proteger la red interna. Te "
"encontrarás con algunas complicaciones porque no todas las funcionalidades "
"del firewall están disponibles en los paquetes bridge. Hay además una "
"diferencia entre los paquetes que están en proceso de reenvío y los paquetes "
"que estás recibiendo la máquina local. En general, los paquetes de entrada "
"pasan por el firewall solo una vez, no dos veces, como suele ser el caso; en "
"realidad se filtran solo después de la recepción, por lo que las reglas que "
"usan `out` o `xmit` nunca coincidirán. Yo utilizo`in via`, que es una "
"sintaxis más antigua pero tiene sentido cuando la lees. Otra limitación es "
"que solo puedes usar solo los comandos `pass` o `reject` para los paquetes "
"filtrados por un bridge. Opciones más complejas como `divert`, `forward` o "
"`reject` no están disponibles. Estas opciones pueden seguir utilizándose, "
"pero solo en el tráfico hacia o desde la propia máquina bridge (si tiene una "
"dirección IP)."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:185
msgid ""
"New in FreeBSD 4.0, is the concept of stateful filtering.  This is a big "
"improvement for UDP traffic, which typically is a request going out, "
"followed shortly thereafter by a response with the exact same set of IP "
"addresses and port numbers (but with source and destination reversed, of "
"course).  For firewalls that have no statekeeping, there is almost no way to "
"deal with this sort of traffic as a single session.  But with a firewall "
"that can \"remember\" an outgoing UDP packet and, for the next few minutes, "
"allow a response, handling UDP services is trivial.  The following example "
"shows how to do it.  It is possible to do the same thing with TCP packets.  "
"This allows you to avoid some denial of service attacks and other nasty "
"tricks, but it also typically makes your state table grow quickly in size."
msgstr ""
"El concepto de firewall con estado se incluyó por primera vez en FreeBSD "
"4.0. Es una gran mejora para el tráfico UDP, el cual generalmente es una "
"solicitud de salida seguida poco después por una respuesta con exactamente "
"el mismo conjunto de direcciones IP y números de puerto (pero obviamente con "
"origen y destino invertidos). Con los firewalls que no mantienen el estado "
"no hay forma de lidiar con este tipo de tráfico en una única sesión. Pero "
"con un firewall que puede \"recordar\" un paquete saliente de UDP y, durante "
"los próximos minutos, permitir una respuesta el manejo de servicios UDP es "
"trivial. El siguiente ejemplo muestra cómo hacerlo. Es posible hacer lo "
"mismo con los paquetes TCP. Esto le permite evitar algunos ataques de "
"denegación de servicio y y otras maldades, pero también hace que su tabla de "
"estado crezca rápidamente de tamaño."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:189
msgid ""
"Let's look at an example setup.  Note first that at the top of [.filename]#/"
"etc/rc.firewall# there are already standard rules for the loopback interface "
"[.filename]#lo0#, so we should not have to care for them anymore.  Custom "
"rules should be put in a separate file (say [.filename]#/etc/rc.firewall."
"local#) and loaded at system startup, by modifying the row of [.filename]#/"
"etc/rc.conf# where we defined the `open` firewall:"
msgstr ""
"Veamos una configuración de ejemplo. Lo primero, ten en cuenta que en la "
"parte superior del archivo [.filename]#/etc/rc.firewall# ya existen reglas "
"predeterminadas para la interfaz de loopback [.filename]#lo0#, por lo que no "
"es necesario preocuparse de ellas. Las reglas personalizadas deben colocarse "
"en un archivo separado (por ejemplo, [.filename]#/etc/rc.firewall.local#) y "
"cargarse al inicio del sistema, modificando la línea en el archivo [."
"filename]#/etc/rc.conf# donde definimos el firewall en modo `open`:"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:193
#, no-wrap
msgid "firewall_type=\"/etc/rc.firewall.local\"\n"
msgstr "firewall_type=\"/etc/rc.firewall.local\"\n"

#. type: delimited block = 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:198
msgid ""
"You have to specify the _full_ path, otherwise it will not be loaded with "
"the risk to remain isolated from the network."
msgstr ""
"Tienes que especificar la ruta _completa_, de otro modo no será cargada con "
"el riesgo de quedar aislado de la red."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:201
msgid ""
"For our example imagine to have the [.filename]#fxp0# interface connected "
"towards the outside (Internet) and the [.filename]#xl0# towards the inside "
"(LAN). The bridge machine has the IP `1.2.3.4` (it is not possible that your "
"ISP can give you an address quite like this, but for our example it is good)."
msgstr ""
"Para nuestro ejemplo imagina tener el interfaz [.filename]#fxp0# conectado "
"hacia el exterior (Internet) y el [.filename]#xl0# hacia el interior (LAN). "
"La máquina bridge tiene la IP `1.2.3.4` (no es posible que tu ISP te "
"proporcione una dirección como esta, pero para nuestro ejemplo vale)."

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:206
#, no-wrap
msgid ""
"# Things that we have kept state on before get to go through in a hurry\n"
"add check-state\n"
msgstr ""
"# Things that we have kept state on before get to go through in a hurry\n"
"add check-state\n"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:211
#, no-wrap
msgid ""
"# Throw away RFC 1918 networks\n"
"add drop all from 10.0.0.0/8 to any in via fxp0\n"
"add drop all from 172.16.0.0/12 to any in via fxp0\n"
"add drop all from 192.168.0.0/16 to any in via fxp0\n"
msgstr ""
"# Throw away RFC 1918 networks\n"
"add drop all from 10.0.0.0/8 to any in via fxp0\n"
"add drop all from 172.16.0.0/12 to any in via fxp0\n"
"add drop all from 192.168.0.0/16 to any in via fxp0\n"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:217
#, no-wrap
msgid ""
"# Allow the bridge machine to say anything it wants\n"
"# (if the machine is IP-less do not include these rows)\n"
"add pass tcp from 1.2.3.4 to any setup keep-state\n"
"add pass udp from 1.2.3.4 to any keep-state\n"
"add pass ip from 1.2.3.4 to any\n"
msgstr ""
"# Allow the bridge machine to say anything it wants\n"
"# (if the machine is IP-less do not include these rows)\n"
"add pass tcp from 1.2.3.4 to any setup keep-state\n"
"add pass udp from 1.2.3.4 to any keep-state\n"
"add pass ip from 1.2.3.4 to any\n"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:222
#, no-wrap
msgid ""
"# Allow the inside hosts to say anything they want\n"
"add pass tcp from any to any in via xl0 setup keep-state\n"
"add pass udp from any to any in via xl0 keep-state\n"
"add pass ip from any to any in via xl0\n"
msgstr ""
"# Allow the inside hosts to say anything they want\n"
"add pass tcp from any to any in via xl0 setup keep-state\n"
"add pass udp from any to any in via xl0 keep-state\n"
"add pass ip from any to any in via xl0\n"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:234
#, no-wrap
msgid ""
"# TCP section\n"
"# Allow SSH\n"
"add pass tcp from any to any 22 in via fxp0 setup keep-state\n"
"# Allow SMTP only towards the mail server\n"
"add pass tcp from any to relay 25 in via fxp0 setup keep-state\n"
"# Allow zone transfers only by the secondary name server [dns2.nic.it]\n"
"add pass tcp from 193.205.245.8 to ns 53 in via fxp0 setup keep-state\n"
"# Pass ident probes.  It is better than waiting for them to timeout\n"
"add pass tcp from any to any 113 in via fxp0 setup keep-state\n"
"# Pass the \"quarantine\" range\n"
"add pass tcp from any to any 49152-65535 in via fxp0 setup keep-state\n"
msgstr ""
"# TCP section\n"
"# Allow SSH\n"
"add pass tcp from any to any 22 in via fxp0 setup keep-state\n"
"# Allow SMTP only towards the mail server\n"
"add pass tcp from any to relay 25 in via fxp0 setup keep-state\n"
"# Allow zone transfers only by the secondary name server [dns2.nic.it]\n"
"add pass tcp from 193.205.245.8 to ns 53 in via fxp0 setup keep-state\n"
"# Pass ident probes.  It is better than waiting for them to timeout\n"
"add pass tcp from any to any 113 in via fxp0 setup keep-state\n"
"# Pass the \"quarantine\" range\n"
"add pass tcp from any to any 49152-65535 in via fxp0 setup keep-state\n"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:240
#, no-wrap
msgid ""
"# UDP section\n"
"# Allow DNS only towards the name server\n"
"add pass udp from any to ns 53 in via fxp0 keep-state\n"
"# Pass the \"quarantine\" range\n"
"add pass udp from any to any 49152-65535 in via fxp0 keep-state\n"
msgstr ""
"# UDP section\n"
"# Allow DNS only towards the name server\n"
"add pass udp from any to ns 53 in via fxp0 keep-state\n"
"# Pass the \"quarantine\" range\n"
"add pass udp from any to any 49152-65535 in via fxp0 keep-state\n"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:247
#, no-wrap
msgid ""
"# ICMP section\n"
"# Pass 'ping'\n"
"add pass icmp from any to any icmptypes 8 keep-state\n"
"# Pass error messages generated by 'traceroute'\n"
"add pass icmp from any to any icmptypes 3\n"
"add pass icmp from any to any icmptypes 11\n"
msgstr ""
"# ICMP section\n"
"# Pass 'ping'\n"
"add pass icmp from any to any icmptypes 8 keep-state\n"
"# Pass error messages generated by 'traceroute'\n"
"add pass icmp from any to any icmptypes 3\n"
"add pass icmp from any to any icmptypes 11\n"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:250
#, no-wrap
msgid ""
"# Everything else is suspect\n"
"add drop log all from any to any\n"
msgstr ""
"# Everything else is suspect\n"
"add drop log all from any to any\n"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:254
msgid ""
"Those of you who have set up firewalls before may notice some things "
"missing.  In particular, there are no anti-spoofing rules, in fact we did "
"_not_ add:"
msgstr ""
"Aquellos de vosotros que hayáis configurado firewalls antes habréis notado "
"que faltan algunas cosas. En particular, no hay reglas anti-spoofing, de "
"hecho _no_ añadimos:"

#. type: delimited block . 4
#: documentation/content/en/articles/filtering-bridges/_index.adoc:258
#, no-wrap
msgid "add deny all from 1.2.3.4/8 to any in via fxp0\n"
msgstr "add deny all from 1.2.3.4/8 to any in via fxp0\n"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:264
msgid ""
"That is, drop packets that are coming in from the outside claiming to be "
"from our network.  This is something that you would commonly do to be sure "
"that someone does not try to evade the packet filter, by generating "
"nefarious packets that look like they are from the inside.  The problem with "
"that is that there is _at least_ one host on the outside interface that you "
"do not want to ignore: the router.  But usually, the ISP anti-spoofs at "
"their router, so we do not need to bother that much."
msgstr ""
"Es decir, descarta paquetes que vienen de fuera pero que dicen que son de "
"nuestra red. Esto es algo que harías de forma habitual para intentar que "
"nadie evita el filtrado de paquetes generando paquetes malvados que parece "
"que provienen del interior. El problema con eso es que hay _al menos_ un "
"host en el interfaz exterior que no quieres ignorar: el router. Pero "
"normalmente, el ISP hace anti-spoofing en su router, así que no nos tenemos "
"que preocupar demasiado."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:267
msgid ""
"The last rule seems to be an exact duplicate of the default rule, that is, "
"do not let anything pass that is not specifically allowed.  But there is a "
"difference: all suspected traffic will be logged."
msgstr ""
"La última regla parece ser un duplicado exacto de la regla predeterminada, "
"es decir, no dejar pasar nada que no esté específicamente permitido. Pero "
"hay una diferencia: todo tráfico sospechoso será registrado."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:273
msgid ""
"There are two rules for passing SMTP and DNS traffic towards the mail server "
"and the name server, if you have them.  Obviously the whole rule set should "
"be flavored to personal taste, this is only a specific example (rule format "
"is described accurately in the man:ipfw[8] man page).  Note that in order "
"for \"relay\" and \"ns\" to work, name service lookups must work _before_ "
"the bridge is enabled.  This is an example of making sure that you set the "
"IP on the correct network card.  Alternatively it is possible to specify the "
"IP address instead of the host name (required if the machine is IP-less)."
msgstr ""
"Hay dos reglas para pasar el tráfico SMTP y DNS hacia el servidor de correo "
"y el servidor de nombres si los tienes. Obviamente el conjunto entero de "
"reglas debería estar personalizado al estilo de cada uno, esto es sólo un "
"ejemplo específico (el formato de las reglas está descrito con detalle en la "
"página de manual de man:ipfw[8]). Como alternativa es posible especificar la "
"dirección IP en lugar del nombre del host (requerido si la máquina no tiene "
"IP)."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:278
msgid ""
"People that are used to setting up firewalls are probably also used to "
"either having a `reset` or a `forward` rule for ident packets (TCP port "
"113).  Unfortunately, this is not an applicable option with the bridge, so "
"the best thing is to simply pass them to their destination.  As long as that "
"destination machine is not running an ident daemon, this is relatively "
"harmless.  The alternative is dropping connections on port 113, which "
"creates some problems with services like IRC (the ident probe must timeout)."
msgstr ""
"Quienes estén acostumbrados a configurar firewalls probablemente también "
"suelan usar una regla `reset` o `forward` para los paquetes ident (`TCP` "
"puerto 113). Por desgracia esta no es una opción válida con el bridge, por "
"lo tanto la mejor opción es simplemente pasarlos a su destino. A menos que "
"la máquina de destino esté ejecutando un demonio ident es realmente "
"inofensivo. La alternativa es eliminar las conexiones en el puerto 113, lo "
"que creará algunos problemas con servicios como IRC (el probe del ident dará "
"timeout)."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:285
msgid ""
"The only other thing that is a little weird that you may have noticed is "
"that there is a rule to let the bridge machine speak, and another for "
"internal hosts.  Remember that this is because the two sets of traffic will "
"take different paths through the kernel and into the packet filter.  The "
"inside net will go through the bridge, while the local machine will use the "
"normal IP stack to speak.  Thus the two rules to handle the different "
"cases.  The `in via fxp0` rules work for both paths.  In general, if you use "
"`in via` rules throughout the filter, you will need to make an exception for "
"locally generated packets, because they did not come in via any of our "
"interfaces."
msgstr ""
"Lo único raro que puedes haber notado es que existe una regla para permitir "
"que la máquina que hace de bridge hable y otra para los hosts internos. "
"Recuerda que esto sucede porque los dos conjuntos de tráfico tendrán "
"diferentes rutas a través del kernel y del filtro de paquetes. La red "
"interna pasará por el bridge, mientras que la máquina local utilizará el "
"stack normal de IP para hablar. Por lo tanto, cada regla se ocupa de una "
"cosa diferente. Las reglas `in via fxp0` funcionan para ambas rutas. En "
"general, si utiliza las reglas `in via` en todo el filtro, debe añadir una "
"excepción para los paquetes generados localmente, ya que no llegaron a "
"través de ninguna de nuestras interfaces."

#. type: Title ==
#: documentation/content/en/articles/filtering-bridges/_index.adoc:287
#, no-wrap
msgid "Contributors"
msgstr "Colaboradores"

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:291
msgid ""
"Many parts of this article have been taken, updated and adapted from an old "
"text about bridging, edited by Nick Sayer.  A pair of inspirations are due "
"to an introduction on bridging by Steve Peterson."
msgstr ""
"Muchas partes de este artículo han sido obtenidas, actualizadas y adaptadas "
"de un texto antiguo sobre bridging, editado por Nick Sayer. Unas cuantas "
"ideas muy inspiradoras vienen de una introducción sobre bridging que "
"escribió Steve Peterson."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:293
msgid ""
"A big thanks to Luigi Rizzo for the implementation of the bridge code in "
"FreeBSD and for the time he has dedicated to me answering all of my related "
"questions."
msgstr ""
"Mi más sincero agradecimiento a Luigi Rizzo por la implementación del código "
"de bridge en FreeBSD y por el tiempo que ha dedicado a responder todas mis "
"preguntas."

#. type: Plain text
#: documentation/content/en/articles/filtering-bridges/_index.adoc:294
msgid ""
"A thanks goes out also to Tom Rhodes who looked over my job of translation "
"from Italian (the original language of this article) into English."
msgstr ""
"Un agradecimiento también a Tom Rhodes, quien revisó mi trabajo de "
"traducción del italiano (el idioma original de este artículo) al inglés."

#~ msgid ""
#~ "include::shared/attributes/attributes-{{% lang %}}.adoc[] include::shared/"
#~ "{{% lang %}}/teams.adoc[] include::shared/{{% lang %}}/mailing-lists."
#~ "adoc[] include::shared/{{% lang %}}/urls.adoc[]"
#~ msgstr ""
#~ "include::shared/attributes/attributes-{{% lang %}}.adoc[]\n"
#~ "include::shared/{{% lang %}}/teams.adoc[]\n"
#~ "include::shared/{{% lang %}}/mailing-lists.adoc[]\n"
#~ "include::shared/{{% lang %}}/urls.adoc[]"