On Friday 20 June 2003 05:56, btt@nethouse.com wrote:
> The reason the whole bridge thing came up is because the default
> gateway for the public network is ISP-provided and is a node on the
> public network. So I didn't see any way to put any type of regular
> firewall between our public servers and the ISP's gateway. I
> figured a bridge would be the way to go (?). Plus, since the public
> network is switched, tcpdump is useless for unicast traffic analysis,
> but with the bridge in place, tcpdump on br0 picks up everything.
Why not statically NAT? Renumber the "public network" machines to a private
network range, setup aliased interfaces on the firewall for the old public IP
addresses, and add an iptables DNAT/SNAT rule for each mapping.
To the outside world, your "public servers" will appear to have public IP
addresses. Behind your firewall, your servers will have private IP addresses.
Setting up static iptables rules to do this is really very simple.
This will work for most public server setups (web servers, etc). Some TCP/UDP
protocols (ie, Tribes2, other game servers, VoIP SIP/H.323, etc) embed IP
addresses within the protocols themselves, breaking any hope of NAT without
active masquerading modifying the data content on the fly. In this case, a
transparent briding firewall would save some headache.
In a NAT configuration, you can run tcpdump on eth0 and sniff all traffic to
the servers just as easily as with the bridge setup.
-- - Ian C. Blenke <icblenke@nks.net>(This message bound by the following: http://www.nks.net/email_disclaimer.html)
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:09:37 EDT