RE: [suse-security] Bridging Firewall with traffic-shaping
Theoretically you should be able to setup a SUSE box as a bridge and then use CBQ or some other mechanism to regulate bandwidth. I've only done this with FreeBSD using dummynet for bandwdith control and it was a breeze to setup using the docs from their handbook. However I have used CBQ on linux to control bandwidth. Noah.
-----Original Message----- From: Guido Tschakert [mailto:guido.tschakert@src-gmbh.de] Sent: 01 April 2004 11:43 To: suse-security@suse.com Subject: Re: [suse-security] Bridging Firewall with traffic-shaping
Dana Hudes wrote:
bridging is not the solution. That doesn't accomplish anything for you. You want to use NAT. without bothering your isp etc. just have a public ip on the dsl router Ethernet, another on the 'external' interface of your 2-Ethernet PC and on the interal one you use a private network (everyone seems enamored of 192.168.0.0/16 but you could use 10/8 if you like)
On Thu, 1 Apr 2004, Guido Tschakert wrote:
Hi Dana,
oh no, I don't want NAT! To be honest, I already have NAT for the internal network! Try to show my network
------------ |DSL-Router| ------------ | | ------------ -------------- ------------------ |Switch/HUB|----|Firewall/NAT|-----|INTERNAL-NETWORK| ------------ -------------- ------------------ | | | | -------------- | ------|External Box| | -------------- | | -------------- -------------|External Box| --------------
I know the external boxes look a bit strange, but we have our reasons therefore (all off them have a build in firewall!). The problem is that sometimes I have to guarantee upstream/downstream rates for the external boxes. That is why I want to put another box between the Router and the Switch. This box should do some traffic control and by the way, why not have some more firewall rules to protect the network? (And no, we don't want to put the external boxes in a DMZ :-)
guido
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
sematin@mtn.co.ug wrote:
Theoretically you should be able to setup a SUSE box as a bridge and then use CBQ or some other mechanism to regulate bandwidth. I've only done this with FreeBSD using dummynet for bandwdith control and it was a breeze to setup using the docs from their handbook. However I have used CBQ on linux to control bandwidth.
Noah.
Hi there, thank you for yur hint. I have looked at http://bridge.sourceforge.net downloaded the bridge-utils-rpm and try to configure a bridge with brctl which is very easy ;-) Stupidly the kernel hangs after ifconfig mybridge up and sending the first frames :-( I think I will wait now for SuSE 9.1 with kernel 2.6.x. FOrtunately I'm not in that hurry ;-) Then I will also try shorewall an if there is time free-bsd would be another option (don't beat me for that is a SuSE list and not a bsd list ;-) I thank all for there help guido
Am 01.04.2004 um 11:01 schrieb Guido Tschakert:
sematin@mtn.co.ug wrote:
Theoretically you should be able to setup a SUSE box as a bridge and then use CBQ or some other mechanism to regulate bandwidth. I've only done this with FreeBSD using dummynet for bandwdith control and it was a breeze to setup using the docs from their handbook. However I have used CBQ on linux to control bandwidth. ... I have looked at http://bridge.sourceforge.net downloaded the bridge-utils-rpm and try to configure a bridge with brctl which is very easy ;-) Stupidly the kernel hangs after ifconfig mybridge up and sending the first frames :-( I think I will wait now for SuSE 9.1 with kernel 2.6.x.
To use linux kernel 2.4.x as a filtering bridge you need the bridge-nf patch applied to the kernel wich isn´t included in SuSEs kernels afaik. You also need an uptodate version of iptables with some of the patch-o-matic patches applied and the bridge-utils. Patching/recompiling SuSEs kernels is a mess, I gave up after a few hours and took debian stable. The box is rock solid and a fine firewalling, shaping and accounting bridge.
participants (3)
-
Backhausen, Sven -
Guido Tschakert -
sematin@mtn.co.ug