Re: [SLUG] Bridging Firewall

From: SpamFree (SpamFree@tampabay.rr.com)
Date: Thu Jun 19 2003 - 08:34:40 EDT


On Thursday June 19 2003 08:00 am, you wrote:
> Hello all...
>
> At work, we just had an ISP change and consequently a network IP range
> change. For the old setup, we had a full class C network with a
> firewall router as the gateway for both our private 192. network and
> our public network. Now, we have a /25 (128 IPs) and the ISP has
> installed a router in place of ours, so our private network still uses
> the linux firewall router we had before, but our public network's
> gateway is the new, unfirewalled ISP provided router (I hope that's
> clear, there.)
>
> before:
> 2/-(nat)-(private network)
> (internet)--1(our linux router)
> 0\-(public network)
>
> after:
> /-1(our linux router)2-(priv.net)
> (internet)--(ISP router)-|switch|
> \\\-(public network)
>
> (the numbers at connection points are ethX's)
>
> I was thinking about how to still keep both the public network and
> private network firewalled with the new setup, and it seems that
> enabling bridging in the linux router and setting up a bridging
> firewall would be a viable solution... especially since we're left
> with eth0 unused at the moment in the router.
>
> So what I'm thinkin' is this:
> ///-(public network)
> (internet)--(ISP router)--1(linux router)2-|switch|
> 0\
> \-(priv.net)
>
> where eth1 and eth2 are bound into one bridge interface. Supposedly,
> iptables would still see the packets being forwarded across the bridge
> and be able to do policy on them... just not exactly sure where...
>
> Well, I'm pretty optimistic about this, and I think I'm gonna try
> it. The kernel in the linux router has been recomplied with bridging
> enabled and the userspace bridge tools have been installed. I guess
> I'll try it unfirewalled first to see if the bridge even holds up,
> then start adding some policies and see what happens.
>
> So... if any network gurus have some comments (like "that's insane!")
> then feel free to speak up, if not then I'll post the detailed results
> later as maybe they could be useful.

There is nothing insane about it, provided you get the configuration right.
Many commercial firewalls can be configured as bridging firewalls. The
Watchguard Firebox is one such firewall. Watchguard is based on the Linux
2.0.36 kernel so, obviously Linux is up to the task.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:00:36 EDT