Re: Transparent bridge firewall with bridge-nf

To: Debian Security <debian-security@lists.debian.org>
Subject: Re: Transparent bridge firewall with bridge-nf
From: Benjamin Goedeke <goedeke@nord-com.net>
Date: Fri, 31 Oct 2003 16:36:26 +0100
Message-id: <[🔎] 1067614586.916.84.camel@dirac.mylinbox.kicks-ass.org>
Reply-to: goedeke@nord-com.net
In-reply-to: <[🔎] 20031030075345.GG13294@gamma.logic.tuwien.ac.at>
References: <[🔎] 1067429577.857.28.camel@dirac.mylinbox.kicks-ass.org> <[🔎] 20031030075345.GG13294@gamma.logic.tuwien.ac.at>

On Thu, 2003-10-30 at 08:53, Norbert Preining wrote:

> Our bridged/fw was running 160 day with code from there. Now I have
> installed a new kernel (2.4.22) with the current ebtables code
> (ebtables.sf.net) which can do even more, although I don't need it. But
> ebtables is the code in 2.6 and actively maintained, while the
> bridge.sf.net code is not maintained anymore.
> Go for it. It is easy, one patch. And then you can do ALL (contrary to
> the opinion of another reply) you can do with iptables on the forward
> table. 

That's what I thought. In fact I've got a test setup going where I use
iptables exclusively. The ebtables code for filtering on the link layer
sounds nice but I don't see any need for that. What makes the bridge
setup appealing to me is that I can simplify the routing tables. The
network looks something like this (excuse my pittyful ascii arts
skills):

                             ----------------
                             |   Internet   |
                             ----------------      
                                    |
                            ------------------
        -.-.-.-.-.-.-.-.-.-.|     Campus     |
        |                   | abc.def.0.0/16 |
        .                   ------------------
        |                          |
        .             ........------------...........................
        |             .       |  Bridge  |                          .
        .             .       ------------                          .
      __|__          ----          |                                .
     /     \      tr0|  |eth0      |                                .
     |      |--------| F|-------- LAN  (abc.def.131.0/24)           .
     |      |        | W|                                           .
     \_____/         ----                                           .
 abc.def.130.0/24     .                                             .
                      ...............................................

Everything inside the dotted rectangle is our network. The people on the
left (abc.def.130.0/24) are an associated institute and we share some
servers. Both us and them have gateways to the campus network which
obviously creates a loop (along the dash-dotted line). Could this call
for trouble?

> The one obvious advantage is that the bridge doesn't have an IP address
> Well, not necessary. Ours have a IP adress, but is completely closed
> from the outside, while I can log in from the inside.

Well, obviously you will need an IP to do remote administration of the
machine but we have a physically separate private net for that. So the
bridge will get a third nic with a 192... IP address and an ssh server
listening on that interface. But the bridge interface itself won't have
an IP.

And for something actually debian related: Do you know of a woody
backport of the ebtables package? Although I don't need it right away
some of the things descibed on ebtables.sf.net sound like they could
come in handy sometime.

Cheers,
Ben

Reply to:

References:
- Transparent bridge firewall with bridge-nf
  - From: Benjamin Goedeke <goedeke@nord-com.net>
- Re: Transparent bridge firewall with bridge-nf
  - From: Norbert Preining <preining@logic.at>

Prev by Date: Re: apache security issue (with upstream new release)
Next by Date: Re: apache security issue (with upstream new release)
Previous by thread: Re: Transparent bridge firewall with bridge-nf
Next by thread: apache security issue (with upstream new release)
Index(es):
- Date
- Thread