Re: [SLUG] Bridging Firewall

From: btt@nethouse.com
Date: Fri Jun 20 2003 - 05:56:55 EDT

Next message: John Clay: "Re: [SLUG] Migration of Office from Windows to Linux?"
Previous message: Andrew Wyatt: "Re: [SLUG] Upgraded Evolution and Lost my Spell Checker"
In reply to: Ian C. Blenke: "Re: [SLUG] Bridging Firewall"
Next in thread: Ian C. Blenke: "Re: [SLUG] Bridging Firewall"
Reply: Ian C. Blenke: "Re: [SLUG] Bridging Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thu, Jun 19, 2003 at 12:40:44PM -0400, Ian C. Blenke wrote:
> On Thursday 19 June 2003 10:52, btt wrote:
> > Everything works fine, but I've found no way to inspect packets
> > with iptables/netfilter based on destination IP address. I found a
> > patch from the bridge.sourceforge.net site and applied it, but
> > haven't had a chance to reboot and re-set-up everything. But it
> > claims to work, so we'll see.

> Bridging and IP typically don't mix.. unless you're looking for
> something like a brouter (or IP switch).
>
> What you really want to use is ebtables:
>
> http://ebtables.sourceforge.net/
>
> This way, you can bridge the traffic you wish to pass through (ie,
> IPX, LAT, Appletalk, other) based on MAC ACLs and IP route traffic
> without letting the ethernet frames "leak" through to both sides.

I tried that, but the patch wouldn't compile. It seems like a 2.5.x
feature that's being backported to the 2.4.x series. It sure sounds
cool, but I think I'll hold off on that till after they release a
couple 2.6's.

> If you're only using IP, there's no real need to bridge here (that I
> can see). Perhaps I'm just not getting your ASCII diagrams or
> description of the problem you're trying to solve.

Here's a better diagram:

+----------+
| INTERNET |---[ ISP ROUTER ]
+----------+ /
                  /
                eth0
                /
             [br0|BRIDGING ROUTER]-eth2--[SWITCH]
                \ ||||||
                eth1 [PRIVATE NET]
                 |
               [SWITCH]
                ||||||
            [PUBLIC SERVERS]

ISP Router, eg. 10.0.0.129
br0. eg. 10.0.0.130
public net, eg. 10.0.0.128/25
private net, eg. 192.168.10.0/24

The reason the whole bridge thing came up is because the default
gateway for the public network is ISP-provided and is a node on the
public network. So I didn't see any way to put any type of regular
firewall between our public servers and the ISP's gateway. I
figured a bridge would be the way to go (?). Plus, since the public
network is switched, tcpdump is useless for unicast traffic analysis,
but with the bridge in place, tcpdump on br0 picks up everything.

Thanks,
Bill

Next message: John Clay: "Re: [SLUG] Migration of Office from Windows to Linux?"
Previous message: Andrew Wyatt: "Re: [SLUG] Upgraded Evolution and Lost my Spell Checker"
In reply to: Ian C. Blenke: "Re: [SLUG] Bridging Firewall"
Next in thread: Ian C. Blenke: "Re: [SLUG] Bridging Firewall"
Reply: Ian C. Blenke: "Re: [SLUG] Bridging Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:09:04 EDT