Re: Transparent bridge firewall with bridge-nf
On Thu, 2003-10-30 at 08:53, Norbert Preining wrote:
> Our bridged/fw was running 160 day with code from there. Now I have
> installed a new kernel (2.4.22) with the current ebtables code
> (ebtables.sf.net) which can do even more, although I don't need it. But
> ebtables is the code in 2.6 and actively maintained, while the
> bridge.sf.net code is not maintained anymore.
> Go for it. It is easy, one patch. And then you can do ALL (contrary to
> the opinion of another reply) you can do with iptables on the forward
> table.
That's what I thought. In fact I've got a test setup going where I use
iptables exclusively. The ebtables code for filtering on the link layer
sounds nice but I don't see any need for that. What makes the bridge
setup appealing to me is that I can simplify the routing tables. The
network looks something like this (excuse my pittyful ascii arts
skills):
----------------
| Internet |
----------------
|
------------------
-.-.-.-.-.-.-.-.-.-.| Campus |
| | abc.def.0.0/16 |
. ------------------
| |
. ........------------...........................
| . | Bridge | .
. . ------------ .
__|__ ---- | .
/ \ tr0| |eth0 | .
| |--------| F|-------- LAN (abc.def.131.0/24) .
| | | W| .
\_____/ ---- .
abc.def.130.0/24 . .
...............................................
Everything inside the dotted rectangle is our network. The people on the
left (abc.def.130.0/24) are an associated institute and we share some
servers. Both us and them have gateways to the campus network which
obviously creates a loop (along the dash-dotted line). Could this call
for trouble?
> The one obvious advantage is that the bridge doesn't have an IP address
> Well, not necessary. Ours have a IP adress, but is completely closed
> from the outside, while I can log in from the inside.
Well, obviously you will need an IP to do remote administration of the
machine but we have a physically separate private net for that. So the
bridge will get a third nic with a 192... IP address and an ssh server
listening on that interface. But the bridge interface itself won't have
an IP.
And for something actually debian related: Do you know of a woody
backport of the ebtables package? Although I don't need it right away
some of the things descibed on ebtables.sf.net sound like they could
come in handy sometime.
Cheers,
Ben
Reply to: