Re: Firewall on a debian Box.

To: debian-firewall@lists.debian.org
Subject: Re: Firewall on a debian Box.
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Thu, 11 Jan 2001 16:25:44 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.21.0101111609480.6843-100000@capitanata.ca.astro.it>
In-reply-to: <[🔎] 14941.51894.283300.559324@kapi.internal>

On Thu, 11 Jan 2001, Bulent Murtezaoglu wrote:

>     erich> How transparent does this box have to be? Like a bridge
>     erich> (i.e. like your switch) or like a router?  like a router is
>     erich> easy, but you need to change settings on your existing
>     erich> router (which can be hard if you do not have access to
>     erich> it...)
> 
> Hmmm.  You could play proxy-arp tricks to eliminate this problem, I
> think.  Am I missing something?

Yes, you can play proxy-arp tricks indeed. I did it here with the
packet-filtering firewall I administer, since it had to be a
"plug-in", completely transparent solution and I used a 2.2.x Linux
kernel, in which bridging and firewalling did not mix very well at the
time. Nowadays, however, with 2.4.x kernels out, bridging and firewalling
are indeed well integrated, and it is very much easier to set up and
maintain. If I were to redo what I did 2 years ago, I would now do it with
a Linux box running a 2.4.x kernel, configured as a bridge
(i.e. completely transparent) and making use of its native netfilter
interface for packet filtering, much more efficient than ipchains (e.g. it
is stateful). You would probably just need to prepare a couple of startup
scripts, in this sequence:
- 1st clear up chains (tables in 2.4.x firewalling) and sets up a
default policy to drop all packets
- 2nd configure the bridge, adding physical interfaces to it and 
(if required) giving an IP number to the bridge interface
- 3rd set up explicit firewalling rules to only let through what
you want to let through

All of this is probably most cleanly done editing files in the
/etc/network directory in a debian system.

Bye
Giacomo

_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it>
_________________________________________________________________

OSSERVATORIO  ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

Reply to:

References:
- Re: Firewall on a debian Box.
  - From: Bulent Murtezaoglu <bm@acm.org>

Prev by Date: Re: Firewall on a debian Box.
Next by Date: Re: Firewall on a debian Box.
Previous by thread: Re: Firewall on a debian Box.
Next by thread: Re: Firewall on a debian Box.
Index(es):
- Date
- Thread