Re: Transparent bridge firewall with bridge-nf
> as opposed to a setup with a firewall+router.
With Linux there are few problems with transparent firewalling setup - ie,
normal iptables don't work with such setup to well, you need to use special
bridge-iptables, ebtables IIRC. One drawback to that is that you can't do
everything your'e used to do with iptables, you need to limit yourself to
relatively simpler rules ( if all you need is filter out some ports then
there's not limitation here ).
{ Similiar setup using OpenBSD is very clean and works flawlessly out of the
box ( and using standard pf ) }
> and remains invisible at the cost of giving away the real IP addresses
I don't think being invisible is that much of security measure, it sure is
nice, but the real kick in being invisible is that you can firewall your
users without changing infrastructure, you can put your firewall about anywhere.
Being invisible doesen't make you invulnerable (as all comic readers know;),
if you've got snort on your firewall and there's a bug in it's parsing code,
you're still going to be sorry...
> keep hiding the real IP addresses of the servers or to hide the firewall
I don't get it, what do you accomplish by hiding real IP address of
something? Incoming-blocking firewalling is just a byproduct of NAT,
wouldn't you prefer the real thing?
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Reply to: