On Thursday 19 June 2003 12:58, Andrew M Hoerter wrote:
> On Thu, 19 Jun 2003, Ian C. Blenke wrote:
> > As the bridging happens *before* your firewall's IP stack gets ahold of
> > the frames, all "external" traffic will show up on the "internal"
> > network.
>
> Er... if that's true of Linux iptables+bridging, then Linux makes a
> piss-poor bridging firewall.
Eh? Even with ebtables? A standard distro with a vanilla kernel, sure. I'm not
much of one for vanilla kernels though ;)
> The whole point of a "transparent" firewall is that the firewall software
> *does* inspect the packets before bridging them. Otherwise, what's the
> use?
Right. Unfortunately, iptables only applies to things that go through the IP
stack unless you patch it. You probably want to use ebtables which is nothing
more than the newest form of the old bridge.sf.net patch.
> I do agree that bridging isn't necessarily called for here, but there's
> nothing wrong with it either. If you can manage your firewall without it
> having an IP address, so much the better for security.
Ah. A "transparent" bridging firewall. Yeah, I've done this with a OpenBSD box
before, and I've even fiddled with hogwash (though not the new native snort
support). I've not tried this with Linux+ebtables yet, but it might be worth
playing with :)
The idea of an invisible firewall/IDS filtering traffic is a neat one -
nothing to portscan, nothing directly addressable to hack.
-- - Ian C. Blenke <icblenke@nks.net>(This message bound by the following: http://www.nks.net/email_disclaimer.html)
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:07:42 EDT