I want to set up a firewall that uses no IP addresses. This might be
what people also refer to as a transparent firewall, or a
packet-filtering bridge. In detail, I want the two Ethernet ports on
the firewall to not use up IP addresses from the network that is
protected by the firewall. The reason is to save IP addresses.
Here is the situation. My network at home currently has 4 real hosts,
all running Linux. It is connected to the ISP via a dial-on-demand
ISDN line, using an off-the-shelf ISDN router (in my case a WebRamp
410i). My ISP has provisioned me with a static /29 subnet (8
addresses, 5 useable), and I use static IP addresses for all hosts.
In addition, I have several internal-only use hosts (a print server
and a windows machine which is considered too insecure to be on the
public network). Currently, they are reached by using IP aliasing on
all four hosts.
To make the situation concrete, here is my hosts file (using
hypothetical numbers and names in the .example domain):
184.108.40.206 (the publicly visible network)
220.127.116.11 gateway.example (the ISDN router to get to the ISP)
18.104.22.168 a.example (one of the four hosts)
22.214.171.124 b.example (one of the four hosts)
126.96.36.199 c.example (one of the four hosts)
188.8.131.52 d.example (one of the four hosts)
184.108.40.206 (the broadcast address)
192.168.1.2 a-int.example (internal alias for host a)
192.168.1.3 b-int.example (internal alias for host b)
192.168.1.4 c-int.example (internal alias for host c)
192.168.1.5 d-int.example (internal alias for host d)
192.168.1.6 printer.example (LPR/LPD print server)
192.168.1.7 windows.example (internal-only windows machine)
The network topology is simple:
ISP/ISDN <-> gateway <-> Ethernet hub <-> all hosts
Because of the use of IP aliasing (each host has two IP addresses on
the same Ethernet interface), I get away with using just one Ethernet
hub, and all the Ethernet outlets in the house are interchangeable.
There is no DNS server running on my network; the ISP's DNS server
provides DNS service for our domain. No DHCP is used for anything.
All four hosts are configured to use gateway.example as the default
gateway for everything except the two local subnets. All hosts use an
/etc/hosts file for name resolution on the local subnets.
Host a.example is a little bit of a server; it provides parttime http
and ftp service to the outside world, whenever I feel like bringing up
the ISDN link for that purpose. All four hosts can be reached via ssh
from the outside world. I really like using static IP addresses
without address translation, because it simplifies access from the
For security reasons, I want to add a firewall to this setup. The
problem is somewhat acute, since host a.example just got hacked into
by a script kiddie who attempted to install a rootkit, and the whole
network is currently offline and being sanitized. Note that the
intrusion didn't exploit the existing servers (http, ftp or ssh) on
the hosts, but instead took advantage of a buffer overrun
vulnerability (as usual, I'm way behind in applying security patches).
I have already read the Zwicky/Cooper/Chapman and Sonnenreich/Yates
firewall books, and obtained the hardware for the firewall box (a
rackmount case, simple motherboard and slow CPU, small disk, and two
Ethernet cards). I intend to use a minimal RedHat 7 installation for
the firewall, with the kernel upgraded to 2.4.1, and the iptables
system for the firewall. I understand that OpenBSD might be
preferable, but I have zero BSD experience, and lots of Linux
experience, and I would make too many (insecure) mistakes when
configuring an OpenBSD box.
The desired network topology is still pretty simple:
ISP/ISDN <-> gateway <-> firewall <-> Ethernet hub <-> all hosts
where the firewall has two Ethernet ports, with hostnames
firewall.example (the internal port) and fw-ext.example (the unsafe
external port). I know that a DMZ for the server a.example would be
preferable, but I want to keep it simple. I have not yet started
configuring the iptables system, because ...
The big problem I'm having is how to configure the IP addresses of the
two Ethernet ports on the firewall. As you can see above, I only
have one spare IP address. And I would prefer not using that address,
in case I want to add another publicly visible host in the future.
So what I'm looking for is how to configure a bridging firewall. I've
seen a tiny amount of information on how to configure Linux to be an
Ethernet bridge (for example the "Linux STP Bridge HowTo"), but
nowhere near enough to figure out how to do it. One elementary
problem for example: What ifconfig incantation do I use to configure
the Ethernet interfaces so they listen to a certain range of
addresses, without them having an address of their own?
That brings up a small problem I would like to solve, while we are at
it. In the above configuration, it is a bit of a hassle to have to
set up IP aliasing on each of the hosts, just so they can reach the
internal-only addresses (the print server in particular). I would
like to use the firewall as a "router", in the following sense: I'd
like to configure the four hosts to use the firewall (or the ISDN
gateway?) as the default gateway for all traffic that is not on my
public 220.127.116.11/29 network. The firewall would route all traffic
between my public network and the outside world via the external port
(to the ISDN gateway), and it would route all the traffic between my
public network and the internal-only 192.168.1/24 network by putting
it right back on the internal ethernet. How to configure that?
While we are at it, having the firewall "route" (or bridge?) to the
internal-only network would also address the last tiny problem. I had
been planning to have absolutely no network-accessible services on the
firewall machine itself. This makes it more secure, but makes
configuring and maintaining it a hassle (need to always walk to the
ba*t, and use a local keyboard and monitor there). To do backups
of the firewall would require carrying a SCSI tape drive downstairs,
and connecting it. But if the firewall machine has access to the
internal-only network, then I could open up services like ssh and scp
on the internal-only address for the firewall, and use that for
configuration, maintenance, and backup, without having to physically
visit the firewall. Now I'm completely confused about how to
Any pointers would be welcome. I would love to have a concrete
example of how to at least configure a bridging firewall (with no IP
addresses of its own) before going down to configure this system.
The address in the header and in the signature are obviously fake.
The real address is my first name at lr dot the city we live in
(hyphenated) dot ca.us.
Ralph Becker-Szendy 735 Sunset Ridge Road, Los Gatos, CA, US.