Re: Firewall Related Question
Using kernel 2.2, I run a bridge, that handles packet filtering with
ipchains.
Patches are available here:
http://www.ac2i.tzo.com/bridge_filter/
James wrote:
>
> That link might help...
> http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html
>
> - James
>
> -----Original Message-----
> From: Alson van der Meulen [mailto:alson@flutnet.org]
> Sent: Monday, October 22, 2001 1:31 PM
> To: Debian Security List
> Subject: Re: Firewall Related Question
>
> On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote:
> > I'd recommend the former (firewalling on each server). This will let you
> > customize the firewall for that server alone, and spread the packet
> > filtering load and logging. Also, with no access the Cisco box, you'd
> > have to either MASQ or SNAT with proxy arps if you do insert a firewall
> > into the packet path to get the traffic to cross the firewall. (The Cisco
> > is going to assume that the subnet with the DMZ address space is still
> > directly attached.)
> With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice
> IMO), put two ethernet cards in a box, one to cisco, second to switch
> with Debian servers, no need for an IP address at the bridge, just
> bridge and firewall.
>
> I'm not sure if Linux can do this, maybe there are some patches for
> iptables to do it?
>
> > On Mon, 22 Oct 2001, James wrote:
> >
> > > Yes, you could definitely do a firewall on each server.
> > >
> > > Also, have you considered setting up a 4th machine between the Cisco and
> 3
> > > servers? That could work also. You wouldn't make it a masq box, just
> > > configure it to pass packets based on the rules.
> > >
> > > - James
> > >
> > > -----Original Message-----
> > > From: Alson van der Meulen [mailto:alson@flutnet.org]
> > > Sent: Monday, October 22, 2001 6:58 AM
> > > To: Debian Security List
> > > Subject: Re: Firewall Related Question
> > >
> > >
> > > On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote:
> > > > I've got some simple questions related to using a Firewall on
> > > > some single pubblic Debian Boxes, I choose to post my questions
> > > > here because I've always securitty in mind during the Developing
> > > > time of my Network Services.
> > > >
> > > > Let me asume I've got a simple Network with 3 Pubblic Debian
> > > > Servers and 1 Cisco Router (Internet Gateway).
> > > >
> > > > The router belongs to my Connection ISP so I can't configure it,
> > > > but onlu use it for Internet connectivity.
> > > >
> > > > The 3 Debian Boxes are under my full control.
> > > >
> > > > The best way to protect my Debian Servers would be to install
> > > > a Firewall on my Gateway (Cisco Router) but actually I can't,
> > > > so my question is: Can I install a Firewall on each of my Debian
> > > > Boxes to filter/block incoming and outgoing Network Traffic ?
> > > >
> > > > Is this a good choice ? or should I put another machine in my
> > > > Network, between the Gateway and the Servers, which acts as Firewall ?
> > > You can just configure a packet filter on all your servers, the main
> > > disadvantage is that it's more difficult to administer
> --
> ,-------------------------------------------.
> > Name: Alson van der Meulen <
> > Personal: alson@flutnet.org <
> > School: alson@gymnasiumleiden.nl <
> `-------------------------------------------'
> I remember the last time I saw it do that...
> ---------------------------------------------
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
> ------------------------------------------------------------------------
> Name: Linux Bridge+Firewall Mini-HOWTO version 1.2.0.url
> Linux Bridge+Firewall Mini-HOWTO version 1.2.0.url Type: unspecified type (application/octet-stream)
> Encoding: quoted-printable
J.R. Blain
http://www.clockmedia.com/
--
Real programmers use chmod +x /dev/random and cross their fingers
-- Comment found in a vi/emacs flamewar on slashdot.
Reply to: