That link might help... http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html - James -----Original Message----- From: Alson van der Meulen [mailto:alson@flutnet.org] Sent: Monday, October 22, 2001 1:31 PM To: Debian Security List Subject: Re: Firewall Related Question On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: > I'd recommend the former (firewalling on each server). This will let you > customize the firewall for that server alone, and spread the packet > filtering load and logging. Also, with no access the Cisco box, you'd > have to either MASQ or SNAT with proxy arps if you do insert a firewall > into the packet path to get the traffic to cross the firewall. (The Cisco > is going to assume that the subnet with the DMZ address space is still > directly attached.) With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice IMO), put two ethernet cards in a box, one to cisco, second to switch with Debian servers, no need for an IP address at the bridge, just bridge and firewall. I'm not sure if Linux can do this, maybe there are some patches for iptables to do it? > On Mon, 22 Oct 2001, James wrote: > > > Yes, you could definitely do a firewall on each server. > > > > Also, have you considered setting up a 4th machine between the Cisco and 3 > > servers? That could work also. You wouldn't make it a masq box, just > > configure it to pass packets based on the rules. > > > > - James > > > > -----Original Message----- > > From: Alson van der Meulen [mailto:alson@flutnet.org] > > Sent: Monday, October 22, 2001 6:58 AM > > To: Debian Security List > > Subject: Re: Firewall Related Question > > > > > > On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: > > > I've got some simple questions related to using a Firewall on > > > some single pubblic Debian Boxes, I choose to post my questions > > > here because I've always securitty in mind during the Developing > > > time of my Network Services. > > > > > > Let me asume I've got a simple Network with 3 Pubblic Debian > > > Servers and 1 Cisco Router (Internet Gateway). > > > > > > The router belongs to my Connection ISP so I can't configure it, > > > but onlu use it for Internet connectivity. > > > > > > The 3 Debian Boxes are under my full control. > > > > > > The best way to protect my Debian Servers would be to install > > > a Firewall on my Gateway (Cisco Router) but actually I can't, > > > so my question is: Can I install a Firewall on each of my Debian > > > Boxes to filter/block incoming and outgoing Network Traffic ? > > > > > > Is this a good choice ? or should I put another machine in my > > > Network, between the Gateway and the Servers, which acts as Firewall ? > > You can just configure a packet filter on all your servers, the main > > disadvantage is that it's more difficult to administer -- ,-------------------------------------------. > Name: Alson van der Meulen < > Personal: alson@flutnet.org < > School: alson@gymnasiumleiden.nl < `-------------------------------------------' I remember the last time I saw it do that... --------------------------------------------- -- To UNSUBSCRIBE, email to debian-security-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Attachment:
Linux Bridge+Firewall Mini-HOWTO version 1.2.0.url
Description: Binary data