[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Setting up firewall on 2 interface within same subnet?

Hi Erich,

Thanks for your informations.

DO u have any idea if i use Proxy-ARP to route the packets on the same
subnet with IPchains filter or Bridge w/IPchains filter, which one will be a
good F.W solution??

I'm had just a little bit confused inside.


-----Original Message-----
From: erich.schubert@mucl.de [mailto:erich.schubert@mucl.de]
Sent: Monday, October 23, 2000 7:14 PM
To: Jason Chan <MIS Dept.>
Cc: debian-firewall@lists.debian.org
Subject: RE: Setting up firewall on 2 interface within same subnet?

> I have a few things to clarify on configuring firewall on the same subnet.

> I have 2 interface on this Linux-Box. Which I am trying to configure the
> same interface on the same subnet. Is it possible? Do i need to segment
> them on 2 diff subnet? pls explain if there is no possibilities to install
> a firewall with 2 interfaces on the same subnet(shown below).

if you have two interfaces in the same subnet and want to "route" between
interface's you need to do bridging, i think.

>                     [gateway:]
>                    /
>                  /
> ----------------------------------------------
>                  |
>                  |[interface 1:]
>           ---------
>          <LINUX-BOX>
>           ---------
>                  |[interface 2:]
> -----------------------------------------------
>                  |
>          [client] {}
>                   {gateway:}

I've had an setup like this and it was quite difficult due to some different
solutions in the internet ;)

There is a bridge+firewall howto, have a look at it.

Basically you will need a kernel patch which creates a new ipchains chain
the name "bridgein". There you can define rules which deny p.E. the access
Port 137 in order to protect some windows machines.

Furthermore you will need a small program to control the bridge in usermode.
I'm not sure wheter you need your linux box to load both ethernet cards at
time or if loading them as modules is sufficient (see multiple-nic-howto's
this, it something like adding ether=0,1,eth0 to your kernel options at

Gruß,  Erich

Reply to: