Board index Linux Networking

Bridging firewall (no IP address of its own) ?

Bridging firewall (no IP address of its own) ?

Post by _firstname » Fri, 23 Feb 2001 07:50:09



I want to set up a firewall that uses no IP addresses.  This might be
what people also refer to as a transparent firewall, or a
packet-filtering bridge.  In detail, I want the two Ethernet ports on
the firewall to not use up IP addresses from the network that is
protected by the firewall.  The reason is to save IP addresses.

Here is the situation.  My network at home currently has 4 real hosts,
all running Linux.  It is connected to the ISP via a dial-on-demand
ISDN line, using an off-the-shelf ISDN router (in my case a WebRamp
410i).  My ISP has provisioned me with a static /29 subnet (8
addresses, 5 useable), and I use static IP addresses for all hosts.

In addition, I have several internal-only use hosts (a print server
and a windows machine which is considered too insecure to be on the
public network).  Currently, they are reached by using IP aliasing on
all four hosts.

To make the situation concrete, here is my hosts file (using
hypothetical numbers and names in the .example domain):
    200.1.1.0       (the publicly visible network)
    200.1.1.1       gateway.example (the ISDN router to get to the ISP)
    200.1.1.2       a.example (one of the four hosts)
    200.1.1.3       b.example (one of the four hosts)
    200.1.1.4       c.example (one of the four hosts)
    200.1.1.5       d.example (one of the four hosts)
    200.1.1.6       UNUSED
    200.1.1.7       (the broadcast address)
    192.168.1.2     a-int.example (internal alias for host a)
    192.168.1.3     b-int.example (internal alias for host b)
    192.168.1.4     c-int.example (internal alias for host c)
    192.168.1.5     d-int.example (internal alias for host d)
    192.168.1.6     printer.example (LPR/LPD print server)
    192.168.1.7     windows.example (internal-only windows machine)

The network topology is simple:
    ISP/ISDN <-> gateway <-> Ethernet hub <-> all hosts

Because of the use of IP aliasing (each host has two IP addresses on
the same Ethernet interface), I get away with using just one Ethernet
hub, and all the Ethernet outlets in the house are interchangeable.

There is no DNS server running on my network; the ISP's DNS server
provides DNS service for our domain.  No DHCP is used for anything.
All four hosts are configured to use gateway.example as the default
gateway for everything except the two local subnets.  All hosts use an
/etc/hosts file for name resolution on the local subnets.

Host a.example is a little bit of a server; it provides parttime http
and ftp service to the outside world, whenever I feel like bringing up
the ISDN link for that purpose.  All four hosts can be reached via ssh
from the outside world.  I really like using static IP addresses
without address translation, because it simplifies access from the
outside world.

For security reasons, I want to add a firewall to this setup.  The
problem is somewhat acute, since host a.example just got hacked into
by a script kiddie who attempted to install a rootkit, and the whole
network is currently offline and being sanitized.  Note that the
intrusion didn't exploit the existing servers (http, ftp or ssh) on
the hosts, but instead took advantage of a buffer overrun
vulnerability (as usual, I'm way behind in applying security patches).

I have already read the Zwicky/Cooper/Chapman and Sonnenreich/Yates
firewall books, and obtained the hardware for the firewall box (a
rackmount case, simple motherboard and slow CPU, small disk, and two
Ethernet cards).  I intend to use a minimal RedHat 7 installation for
the firewall, with the kernel upgraded to 2.4.1, and the iptables
system for the firewall.  I understand that OpenBSD might be
preferable, but I have zero BSD experience, and lots of Linux
experience, and I would make too many (insecure) mistakes when
configuring an OpenBSD box.

The desired network topology is still pretty simple:
    ISP/ISDN <-> gateway <-> firewall <-> Ethernet hub <-> all hosts
where the firewall has two Ethernet ports, with hostnames
firewall.example (the internal port) and fw-ext.example (the unsafe
external port).  I know that a DMZ for the server a.example would be
preferable, but I want to keep it simple.  I have not yet started
configuring the iptables system, because ...

The big problem I'm having is how to configure the IP addresses of the
two Ethernet ports on the firewall.  As you can see above, I only
have one spare IP address.  And I would prefer not using that address,
in case I want to add another publicly visible host in the future.

So what I'm looking for is how to configure a bridging firewall.  I've
seen a tiny amount of information on how to configure Linux to be an
Ethernet bridge (for example the "Linux STP Bridge HowTo"), but
nowhere near enough to figure out how to do it.  One elementary
problem for example: What ifconfig incantation do I use to configure
the Ethernet interfaces so they listen to a certain range of
addresses, without them having an address of their own?

That brings up a small problem I would like to solve, while we are at
it.  In the above configuration, it is a bit of a hassle to have to
set up IP aliasing on each of the hosts, just so they can reach the
internal-only addresses (the print server in particular).  I would
like to use the firewall as a "router", in the following sense: I'd
like to configure the four hosts to use the firewall (or the ISDN
gateway?) as the default gateway for all traffic that is not on my
public 200.1.1.0/29 network.  The firewall would route all traffic
between my public network and the outside world via the external port
(to the ISDN gateway), and it would route all the traffic between my
public network and the internal-only 192.168.1/24 network by putting
it right back on the internal ethernet.  How to configure that?

While we are at it, having the firewall "route" (or bridge?) to the
internal-only network would also address the last tiny problem.  I had
been planning to have absolutely no network-accessible services on the
firewall machine itself.  This makes it more secure, but makes
configuring and maintaining it a hassle (need to always walk to the
ba*t, and use a local keyboard and monitor there).  To do backups
of the firewall would require carrying a SCSI tape drive downstairs,
and connecting it.  But if the firewall machine has access to the
internal-only network, then I could open up services like ssh and scp
on the internal-only address for the firewall, and use that for
configuration, maintenance, and backup, without having to physically
visit the firewall.  Now I'm completely confused about how to
configure things.

Any pointers would be welcome.  I would love to have a concrete
example of how to at least configure a bridging firewall (with no IP
addresses of its own) before going down to configure this system.

Thanks!

The address in the header and in the signature are obviously fake.
The real address is my first name at lr dot the city we live in
(hyphenated) dot ca.us.

--
Ralph Becker-Szendy        735 Sunset Ridge Road, Los Gatos, CA, US.

 
 
 
Top

Bridging firewall (no IP address of its own) ?

Post by reader.news.uu.ne » Fri, 23 Feb 2001 10:21:44


I'm curious to here the answer to this as well..

Here's my situation..

I have a 128IP block coming into a DSL router doing NAT to the internal
network...

Without messing with routes and/or changing any network configs..I want to
insert a bridge/transparent firewall on-the-wire between the internal side
of the DSL and the switch with the rest of the network..

The main reason is so I can fubar that machine, unplug it if necessary and
the network just keeps going..no config changes needed to the servers or to
the DSL router....essentially, a packet sniffer / forwarder / blocker

Oh..BTW..I AM using FreeBSD currently...but the same comcepts would
apply...plus i need an excuse to try the new SUse 7.1 w/ the 2.4.x kernal...

-=Chris


> I want to set up a firewall that uses no IP addresses.  This might be
> what people also refer to as a transparent firewall, or a
> packet-filtering bridge.  In detail, I want the two Ethernet ports on
> the firewall to not use up IP addresses from the network that is
> protected by the firewall.  The reason is to save IP addresses.

> Here is the situation.  My network at home currently has 4 real hosts,
> all running Linux.  It is connected to the ISP via a dial-on-demand
> ISDN line, using an off-the-shelf ISDN router (in my case a WebRamp
> 410i).  My ISP has provisioned me with a static /29 subnet (8
> addresses, 5 useable), and I use static IP addresses for all hosts.

> In addition, I have several internal-only use hosts (a print server
> and a windows machine which is considered too insecure to be on the
> public network).  Currently, they are reached by using IP aliasing on
> all four hosts.

> To make the situation concrete, here is my hosts file (using
> hypothetical numbers and names in the .example domain):
>     200.1.1.0       (the publicly visible network)
>     200.1.1.1       gateway.example (the ISDN router to get to the ISP)
>     200.1.1.2       a.example (one of the four hosts)
>     200.1.1.3       b.example (one of the four hosts)
>     200.1.1.4       c.example (one of the four hosts)
>     200.1.1.5       d.example (one of the four hosts)
>     200.1.1.6       UNUSED
>     200.1.1.7       (the broadcast address)
>     192.168.1.2     a-int.example (internal alias for host a)
>     192.168.1.3     b-int.example (internal alias for host b)
>     192.168.1.4     c-int.example (internal alias for host c)
>     192.168.1.5     d-int.example (internal alias for host d)
>     192.168.1.6     printer.example (LPR/LPD print server)
>     192.168.1.7     windows.example (internal-only windows machine)

> The network topology is simple:
>     ISP/ISDN <-> gateway <-> Ethernet hub <-> all hosts

> Because of the use of IP aliasing (each host has two IP addresses on
> the same Ethernet interface), I get away with using just one Ethernet
> hub, and all the Ethernet outlets in the house are interchangeable.

> There is no DNS server running on my network; the ISP's DNS server
> provides DNS service for our domain.  No DHCP is used for anything.
> All four hosts are configured to use gateway.example as the default
> gateway for everything except the two local subnets.  All hosts use an
> /etc/hosts file for name resolution on the local subnets.

> Host a.example is a little bit of a server; it provides parttime http
> and ftp service to the outside world, whenever I feel like bringing up
> the ISDN link for that purpose.  All four hosts can be reached via ssh
> from the outside world.  I really like using static IP addresses
> without address translation, because it simplifies access from the
> outside world.

> For security reasons, I want to add a firewall to this setup.  The
> problem is somewhat acute, since host a.example just got hacked into
> by a script kiddie who attempted to install a rootkit, and the whole
> network is currently offline and being sanitized.  Note that the
> intrusion didn't exploit the existing servers (http, ftp or ssh) on
> the hosts, but instead took advantage of a buffer overrun
> vulnerability (as usual, I'm way behind in applying security patches).

> I have already read the Zwicky/Cooper/Chapman and Sonnenreich/Yates
> firewall books, and obtained the hardware for the firewall box (a
> rackmount case, simple motherboard and slow CPU, small disk, and two
> Ethernet cards).  I intend to use a minimal RedHat 7 installation for
> the firewall, with the kernel upgraded to 2.4.1, and the iptables
> system for the firewall.  I understand that OpenBSD might be
> preferable, but I have zero BSD experience, and lots of Linux
> experience, and I would make too many (insecure) mistakes when
> configuring an OpenBSD box.

> The desired network topology is still pretty simple:
>     ISP/ISDN <-> gateway <-> firewall <-> Ethernet hub <-> all hosts
> where the firewall has two Ethernet ports, with hostnames
> firewall.example (the internal port) and fw-ext.example (the unsafe
> external port).  I know that a DMZ for the server a.example would be
> preferable, but I want to keep it simple.  I have not yet started
> configuring the iptables system, because ...

> The big problem I'm having is how to configure the IP addresses of the
> two Ethernet ports on the firewall.  As you can see above, I only
> have one spare IP address.  And I would prefer not using that address,
> in case I want to add another publicly visible host in the future.

> So what I'm looking for is how to configure a bridging firewall.  I've
> seen a tiny amount of information on how to configure Linux to be an
> Ethernet bridge (for example the "Linux STP Bridge HowTo"), but
> nowhere near enough to figure out how to do it.  One elementary
> problem for example: What ifconfig incantation do I use to configure
> the Ethernet interfaces so they listen to a certain range of
> addresses, without them having an address of their own?

> That brings up a small problem I would like to solve, while we are at
> it.  In the above configuration, it is a bit of a hassle to have to
> set up IP aliasing on each of the hosts, just so they can reach the
> internal-only addresses (the print server in particular).  I would
> like to use the firewall as a "router", in the following sense: I'd
> like to configure the four hosts to use the firewall (or the ISDN
> gateway?) as the default gateway for all traffic that is not on my
> public 200.1.1.0/29 network.  The firewall would route all traffic
> between my public network and the outside world via the external port
> (to the ISDN gateway), and it would route all the traffic between my
> public network and the internal-only 192.168.1/24 network by putting
> it right back on the internal ethernet.  How to configure that?

> While we are at it, having the firewall "route" (or bridge?) to the
> internal-only network would also address the last tiny problem.  I had
> been planning to have absolutely no network-accessible services on the
> firewall machine itself.  This makes it more secure, but makes
> configuring and maintaining it a hassle (need to always walk to the
> ba*t, and use a local keyboard and monitor there).  To do backups
> of the firewall would require carrying a SCSI tape drive downstairs,
> and connecting it.  But if the firewall machine has access to the
> internal-only network, then I could open up services like ssh and scp
> on the internal-only address for the firewall, and use that for
> configuration, maintenance, and backup, without having to physically
> visit the firewall.  Now I'm completely confused about how to
> configure things.

> Any pointers would be welcome.  I would love to have a concrete
> example of how to at least configure a bridging firewall (with no IP
> addresses of its own) before going down to configure this system.

> Thanks!

> The address in the header and in the signature are obviously fake.
> The real address is my first name at lr dot the city we live in
> (hyphenated) dot ca.us.

> --
> Ralph Becker-Szendy        735 Sunset Ridge Road, Los Gatos, CA, US.



 
 
 
Top

Bridging firewall (no IP address of its own) ?

Post by Dave Wei » Sun, 25 Feb 2001 03:00:48


I just wrote up something that may help you. It does need a single IP,
but you have one free. It's at
http://www.veryComputer.com/

dave


> I want to set up a firewall that uses no IP addresses.  This might be
> what people also refer to as a transparent firewall, or a
> packet-filtering bridge.  In detail, I want the two Ethernet ports on
> the firewall to not use up IP addresses from the network that is
> protected by the firewall.  The reason is to save IP addresses.

> Here is the situation.  My network at home currently has 4 real hosts,
> all running Linux.  It is connected to the ISP via a dial-on-demand
> ISDN line, using an off-the-shelf ISDN router (in my case a WebRamp
> 410i).  My ISP has provisioned me with a static /29 subnet (8
> addresses, 5 useable), and I use static IP addresses for all hosts.

> In addition, I have several internal-only use hosts (a print server
> and a windows machine which is considered too insecure to be on the
> public network).  Currently, they are reached by using IP aliasing on
> all four hosts.

> To make the situation concrete, here is my hosts file (using
> hypothetical numbers and names in the .example domain):
>     200.1.1.0       (the publicly visible network)
>     200.1.1.1       gateway.example (the ISDN router to get to the ISP)
>     200.1.1.2       a.example (one of the four hosts)
>     200.1.1.3       b.example (one of the four hosts)
>     200.1.1.4       c.example (one of the four hosts)
>     200.1.1.5       d.example (one of the four hosts)
>     200.1.1.6       UNUSED
>     200.1.1.7       (the broadcast address)
>     192.168.1.2     a-int.example (internal alias for host a)
>     192.168.1.3     b-int.example (internal alias for host b)
>     192.168.1.4     c-int.example (internal alias for host c)
>     192.168.1.5     d-int.example (internal alias for host d)
>     192.168.1.6     printer.example (LPR/LPD print server)
>     192.168.1.7     windows.example (internal-only windows machine)

> The network topology is simple:
>     ISP/ISDN <-> gateway <-> Ethernet hub <-> all hosts

> Because of the use of IP aliasing (each host has two IP addresses on
> the same Ethernet interface), I get away with using just one Ethernet
> hub, and all the Ethernet outlets in the house are interchangeable.

> There is no DNS server running on my network; the ISP's DNS server
> provides DNS service for our domain.  No DHCP is used for anything.
> All four hosts are configured to use gateway.example as the default
> gateway for everything except the two local subnets.  All hosts use an
> /etc/hosts file for name resolution on the local subnets.

> Host a.example is a little bit of a server; it provides parttime http
> and ftp service to the outside world, whenever I feel like bringing up
> the ISDN link for that purpose.  All four hosts can be reached via ssh
> from the outside world.  I really like using static IP addresses
> without address translation, because it simplifies access from the
> outside world.

> For security reasons, I want to add a firewall to this setup.  The
> problem is somewhat acute, since host a.example just got hacked into
> by a script kiddie who attempted to install a rootkit, and the whole
> network is currently offline and being sanitized.  Note that the
> intrusion didn't exploit the existing servers (http, ftp or ssh) on
> the hosts, but instead took advantage of a buffer overrun
> vulnerability (as usual, I'm way behind in applying security patches).

> I have already read the Zwicky/Cooper/Chapman and Sonnenreich/Yates
> firewall books, and obtained the hardware for the firewall box (a
> rackmount case, simple motherboard and slow CPU, small disk, and two
> Ethernet cards).  I intend to use a minimal RedHat 7 installation for
> the firewall, with the kernel upgraded to 2.4.1, and the iptables
> system for the firewall.  I understand that OpenBSD might be
> preferable, but I have zero BSD experience, and lots of Linux
> experience, and I would make too many (insecure) mistakes when
> configuring an OpenBSD box.

> The desired network topology is still pretty simple:
>     ISP/ISDN <-> gateway <-> firewall <-> Ethernet hub <-> all hosts
> where the firewall has two Ethernet ports, with hostnames
> firewall.example (the internal port) and fw-ext.example (the unsafe
> external port).  I know that a DMZ for the server a.example would be
> preferable, but I want to keep it simple.  I have not yet started
> configuring the iptables system, because ...

> The big problem I'm having is how to configure the IP addresses of the
> two Ethernet ports on the firewall.  As you can see above, I only
> have one spare IP address.  And I would prefer not using that address,
> in case I want to add another publicly visible host in the future.

> So what I'm looking for is how to configure a bridging firewall.  I've
> seen a tiny amount of information on how to configure Linux to be an
> Ethernet bridge (for example the "Linux STP Bridge HowTo"), but
> nowhere near enough to figure out how to do it.  One elementary
> problem for example: What ifconfig incantation do I use to configure
> the Ethernet interfaces so they listen to a certain range of
> addresses, without them having an address of their own?

> That brings up a small problem I would like to solve, while we are at
> it.  In the above configuration, it is a bit of a hassle to have to
> set up IP aliasing on each of the hosts, just so they can reach the
> internal-only addresses (the print server in particular).  I would
> like to use the firewall as a "router", in the following sense: I'd
> like to configure the four hosts to use the firewall (or the ISDN
> gateway?) as the default gateway for all traffic that is not on my
> public 200.1.1.0/29 network.  The firewall would route all traffic
> between my public network and the outside world via the external port
> (to the ISDN gateway), and it would route all the traffic between my
> public network and the internal-only 192.168.1/24 network by putting
> it right back on the internal ethernet.  How to configure that?

> While we are at it, having the firewall "route" (or bridge?) to the
> internal-only network would also address the last tiny problem.  I had
> been planning to have absolutely no network-accessible services on the
> firewall machine itself.  This makes it more secure, but makes
> configuring and maintaining it a hassle (need to always walk to the
> ba*t, and use a local keyboard and monitor there).  To do backups
> of the firewall would require carrying a SCSI tape drive downstairs,
> and connecting it.  But if the firewall machine has access to the
> internal-only network, then I could open up services like ssh and scp
> on the internal-only address for the firewall, and use that for
> configuration, maintenance, and backup, without having to physically
> visit the firewall.  Now I'm completely confused about how to
> configure things.

> Any pointers would be welcome.  I would love to have a concrete
> example of how to at least configure a bridging firewall (with no IP
> addresses of its own) before going down to configure this system.

> Thanks!

> The address in the header and in the signature are obviously fake.
> The real address is my first name at lr dot the city we live in
> (hyphenated) dot ca.us.

> --
> Ralph Becker-Szendy        735 Sunset Ridge Road, Los Gatos, CA, US.


--
Dave Weis

http://www.veryComputer.com/
 
 
 
Top

Bridging firewall (no IP address of its own) ?

Post by Justin Mah » Fri, 20 Apr 2001 08:10:12


is this the webpage you put up?

Request Error
invalid command name "ns_sha1"
    while executing
"ns_sha1 "[ns_time][ns_rand]$start_clicks$request$tcl_sec_seed""
    (procedure "sec_random_token" line 25)
    invoked from within
"sec_random_token"
    (procedure "ad_assign_session_id" line 6)
    invoked from within
"ad_assign_session_id"

----------------------------------------------------------------------------
----

webmas...@sjdjweis.com

"Dave Weis" <djw...@businessolver.com> wrote in message

news:3A96A550.FB5CF96D@businessolver.com...

> I just wrote up something that may help you. It does need a single IP,
> but you have one free. It's at
> http://www.sjdjweis.com/linux/proxyarp/index.html

> dave

> _firstname_@lr_dot_los-gatos_dot_ca.us wrote:

> > I want to set up a firewall that uses no IP addresses.  This might be
> > what people also refer to as a transparent firewall, or a
> > packet-filtering bridge.  In detail, I want the two Ethernet ports on
> > the firewall to not use up IP addresses from the network that is
> > protected by the firewall.  The reason is to save IP addresses.

> > Here is the situation.  My network at home currently has 4 real hosts,
> > all running Linux.  It is connected to the ISP via a dial-on-demand
> > ISDN line, using an off-the-shelf ISDN router (in my case a WebRamp
> > 410i).  My ISP has provisioned me with a static /29 subnet (8
> > addresses, 5 useable), and I use static IP addresses for all hosts.

> > In addition, I have several internal-only use hosts (a print server
> > and a windows machine which is considered too insecure to be on the
> > public network).  Currently, they are reached by using IP aliasing on
> > all four hosts.

> > To make the situation concrete, here is my hosts file (using
> > hypothetical numbers and names in the .example domain):
> >     200.1.1.0       (the publicly visible network)
> >     200.1.1.1       gateway.example (the ISDN router to get to the ISP)
> >     200.1.1.2       a.example (one of the four hosts)
> >     200.1.1.3       b.example (one of the four hosts)
> >     200.1.1.4       c.example (one of the four hosts)
> >     200.1.1.5       d.example (one of the four hosts)
> >     200.1.1.6       UNUSED
> >     200.1.1.7       (the broadcast address)
> >     192.168.1.2     a-int.example (internal alias for host a)
> >     192.168.1.3     b-int.example (internal alias for host b)
> >     192.168.1.4     c-int.example (internal alias for host c)
> >     192.168.1.5     d-int.example (internal alias for host d)
> >     192.168.1.6     printer.example (LPR/LPD print server)
> >     192.168.1.7     windows.example (internal-only windows machine)

> > The network topology is simple:
> >     ISP/ISDN <-> gateway <-> Ethernet hub <-> all hosts

> > Because of the use of IP aliasing (each host has two IP addresses on
> > the same Ethernet interface), I get away with using just one Ethernet
> > hub, and all the Ethernet outlets in the house are interchangeable.

> > There is no DNS server running on my network; the ISP's DNS server
> > provides DNS service for our domain.  No DHCP is used for anything.
> > All four hosts are configured to use gateway.example as the default
> > gateway for everything except the two local subnets.  All hosts use an
> > /etc/hosts file for name resolution on the local subnets.

> > Host a.example is a little bit of a server; it provides parttime http
> > and ftp service to the outside world, whenever I feel like bringing up
> > the ISDN link for that purpose.  All four hosts can be reached via ssh
> > from the outside world.  I really like using static IP addresses
> > without address translation, because it simplifies access from the
> > outside world.

> > For security reasons, I want to add a firewall to this setup.  The
> > problem is somewhat acute, since host a.example just got hacked into
> > by a script kiddie who attempted to install a rootkit, and the whole
> > network is currently offline and being sanitized.  Note that the
> > intrusion didn't exploit the existing servers (http, ftp or ssh) on
> > the hosts, but instead took advantage of a buffer overrun
> > vulnerability (as usual, I'm way behind in applying security patches).

> > I have already read the Zwicky/Cooper/Chapman and Sonnenreich/Yates
> > firewall books, and obtained the hardware for the firewall box (a
> > rackmount case, simple motherboard and slow CPU, small disk, and two
> > Ethernet cards).  I intend to use a minimal RedHat 7 installation for
> > the firewall, with the kernel upgraded to 2.4.1, and the iptables
> > system for the firewall.  I understand that OpenBSD might be
> > preferable, but I have zero BSD experience, and lots of Linux
> > experience, and I would make too many (insecure) mistakes when
> > configuring an OpenBSD box.

> > The desired network topology is still pretty simple:
> >     ISP/ISDN <-> gateway <-> firewall <-> Ethernet hub <-> all hosts
> > where the firewall has two Ethernet ports, with hostnames
> > firewall.example (the internal port) and fw-ext.example (the unsafe
> > external port).  I know that a DMZ for the server a.example would be
> > preferable, but I want to keep it simple.  I have not yet started
> > configuring the iptables system, because ...

> > The big problem I'm having is how to configure the IP addresses of the
> > two Ethernet ports on the firewall.  As you can see above, I only
> > have one spare IP address.  And I would prefer not using that address,
> > in case I want to add another publicly visible host in the future.

> > So what I'm looking for is how to configure a bridging firewall.  I've
> > seen a tiny amount of information on how to configure Linux to be an
> > Ethernet bridge (for example the "Linux STP Bridge HowTo"), but
> > nowhere near enough to figure out how to do it.  One elementary
> > problem for example: What ifconfig incantation do I use to configure
> > the Ethernet interfaces so they listen to a certain range of
> > addresses, without them having an address of their own?

> > That brings up a small problem I would like to solve, while we are at
> > it.  In the above configuration, it is a bit of a hassle to have to
> > set up IP aliasing on each of the hosts, just so they can reach the
> > internal-only addresses (the print server in particular).  I would
> > like to use the firewall as a "router", in the following sense: I'd
> > like to configure the four hosts to use the firewall (or the ISDN
> > gateway?) as the default gateway for all traffic that is not on my
> > public 200.1.1.0/29 network.  The firewall would route all traffic
> > between my public network and the outside world via the external port
> > (to the ISDN gateway), and it would route all the traffic between my
> > public network and the internal-only 192.168.1/24 network by putting
> > it right back on the internal ethernet.  How to configure that?

> > While we are at it, having the firewall "route" (or bridge?) to the
> > internal-only network would also address the last tiny problem.  I had
> > been planning to have absolutely no network-accessible services on the
> > firewall machine itself.  This makes it more secure, but makes
> > configuring and maintaining it a hassle (need to always walk to the
> > basement, and use a local keyboard and monitor there).  To do backups
> > of the firewall would require carrying a SCSI tape drive downstairs,
> > and connecting it.  But if the firewall machine has access to the
> > internal-only network, then I could open up services like ssh and scp
> > on the internal-only address for the firewall, and use that for
> > configuration, maintenance, and backup, without having to physically
> > visit the firewall.  Now I'm completely confused about how to
> > configure things.

> > Any pointers would be welcome.  I would love to have a concrete
> > example of how to at least configure a bridging firewall (with no IP
> > addresses of its own) before going down to configure this system.

> > Thanks!

> > The address in the header and in the signature are obviously fake.
> > The real address is my first name at lr dot the city we live in
> > (hyphenated) dot ca.us.

> > --
> > Ralph Becker-Szendy        735 Sunset Ridge Road, Los Gatos, CA, US.
> > _firstname_@lr _dot_ los-gatos _dot_ ca.us

> --
> Dave Weis
> djw...@businessolver.com
> http://www.businessolver.com/

 
 
 
Top

1. bridging problem -- bridge needs IP address

Hi everyone,

i tried to set up a bridge with my fedora core 3, kernel
2.6.10-1.741_FC3. I entered following commands:

# ifconfig eth0 promisc up
# ifconfig eth1 promisc up
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ifconfig br0 up

It was possible to create the bridge, but there is a problem: The
bridge doesn't forward traffic until i assign an IP address to the
interface br0. But that's not what i want.
Any ideas?

Greetings

Peter

2. soft mount timeout pattern?

3. Bridging and giving the bridge an IP address

4. PLIP doesn't ping

5. Bridging Firewall - got bridging working, How do I firewall?

6. -Advisory-21.UNIX.SunOS-sendmailV5.22-Aug-1995

7. loop back address and own IP address

8. How to open xxx.tar.gz file ?

9. IP Connection to own IP-Address goes over the network

10. Send IP traffic to own IP address over first router/gateway

11. dening certain ip addresses to http server running behind a IP Masq Firewall

12. I wanted to extract the Source IP address and Destination IP address from packets passing through bridge, Is IP address offset is fixed?

13. FBSD Bridge + Firewall + IP Accounting


All times are UTC
Board index