[TCLUG] Firewall/Router Setup

Wed Jul 17 16:58:29 CDT 2002

Ok, thanks.  I have basic bridging pretty much setup now.  I think the
problem might be (partially) ARP related.  After I bring up br0, the LAN
machines can't find the Cisco.  If I ping the Cisco from the bridge,
however, then everything works fine.  Of course, no firewall rules yet ...
just simple bridging.  Any ideas?

--Nathan Davis

----- Original Message -----
From: "BN" <bneigebauer at attbi.com>
To: <tclug-list at mn-linux.org>
Sent: Tuesday, July 16, 2002 6:42 PM
Subject: RE: [TCLUG] Firewall/Router Setup

> The cards have to be up, I believe in promiscuous mode.
>
> Check this
> http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/set-up-the-bridge.html#BASIC-
> SETUP  out, it goes through the basic steps.
>
>
> -----Original Message-----
> From: tclug-list-admin at mn-linux.org
> [mailto:tclug-list-admin at mn-linux.org] On Behalf Of Nathan Davis
> Sent: Tuesday, July 16, 2002 4:24 PM
> To: tclug-list at mn-linux.org
> Subject: Re: [TCLUG] Firewall/Router Setup
>
> Ok, I need a little help.  Banging my head against the wall isn't
> getting the
> job done anymore ;-)
>
> 1) I'm running Redhat 7.3 (kernel 2.4.18).  Do you know if this needs to
> be
> patched?
>
> 2) I downloaded the script from
> http://www.sparkle-cc.co.uk/firewall/rc.firewall.sh.txt.  Ran it, didn't
> work.
> I tried to run just a simple bridge (no firewall) with
>     # ifdown eth0
>     # ifdown eth1
>     # brctl addbr br0
>     # brctl addif br0 eth1
>     # brctl addif br0 eth0
> This should be sufficient to test that the bridging part is working,
> correct?
> Under this configuration I can't ping the Cisco.  I have verified that
> both
> NICs work, and that the cabling between the NIC and the Cisco is
> correct.
>
> So anyway, I would appreciate any tips you could pass along.
>
> Thanks for the great help,
>
> --Nathan Davis
>
> BN wrote:
>
> > I have setup the transparent (bridging) firewalll in linux before.
> > If you need help let me know I and I'll check my notes.
> > The really cool thing is that you can also set up queueing and
> bandwidth
> > shaping transparantly.
> > There is a patch the hooks IP Tables/route back into the bridging
> code.
> > So, if you don't want any one computer hogging bandwidth it might be
> > worthwhile.
> >
> > Simeon Johnston wrote:
> >
> > > Nathan Davis wrote:
> > >
> > >> After thinking about this for awhile, I was wonding if I really
> need to
> > >> use two *real* ip addresses on the firewall machine.  Or even if
> there's
> > >> a way to set up a default route to an interface with no ip address
> > >> assigned.  Another option might be to have the cisco (and possibly
> the
> > >> firewall too) obtain an ip address via dhcp (I don't know how the
> other
> > >> end might take this, though), or assign the interface connecting
> the
> > >> firewall to the Cisco a "fake" address.
> > >>
> > >
> > > If you want an interface w/ no IP I'd suggest getting the Linux
> > > bridging stuff.
> > > The idea would be to have 3 NIC's actually.  One external (Router ->
> > > FW NIC), One for internal NAT'd addresses (any traffic can be
> > > forwarded through the firewall to internal hosts), the other would
> be
> > > a bridged interface to a DMZ (allows you to filter ports but doesn't
> > > need an IP).
> > >    There are other ways to set this up also but this is the only way
> I
> > > can think of at the moment to get a firewall without using one of
> your
> > > addresses.  Unless of course you just forward all your traffic
> through
> > > the firewall.  If you want a dedicated address for a specific server
> > > instead of all your DNS entries going ot the firewall, the firewall
> > > can be multi-homed (multiple addresses/NIC).
> > >
> > > I could probably think of a few more ways to get it done but
> couldn't
> > > tell you the "best" way without a bit more info.
> > >
> > > sim
> > >
> > > _______________________________________________
> > > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul,
> > > Minnesota
> > > http://www.mn-linux.org
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > _______________________________________________
> > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul,
> Minnesota
> > http://www.mn-linux.org
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul,
> Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul,
Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list