Using 9.1 as Bridgin Firewall
OS: SuSE 9.1 with latest patches I found the thread on using SuSE as a bridging firewall earlier this year but seem to be stuck. Topology: Internet Side: xxx.xxx.xxx.1 (Default Gateway) (Cisco router) Bridge: Defined bridge xxx.xxx.xxx.10 adding eth0 (connected to .1) and eth1 (LAN side). Default route defined as xxx.xxx.xxx.1 LAN Side: Test system xxx.xxx.xxx.29 I can ping .1, .10 and .29 from the bridge system and even surf the internet, etc. I can ping the bridge (.10) from the LAN side (.29) but cannot ping the gateway (.1). At this point there are no iptables rules in effect (iptables -L shows nothing) and SuSEfirewall2 is disabled. I have downloaded shorewall 2.0.8 and bridge-utils (from SuSE 9.1 CDs) but seem to be missing some thing here. Goal: Use the bridging firewall between a Cisco router and the rest of our networks to detect/defeat syn flood and smurf attacks. Cisco wants $US 2K/router for the enterprise version of their software to do this (times 4 routers!) which is a major outlay for a small ISP, hence urgency of getting this to work. (I have a bottom of the line MultiTech RF550VPN on one of the LAN side systems and even it has no problem stopping these attacks on the one system - we just need to duplicate this protection on several subnets.) Thank you, Lucky Leavell
Quoting Lucky Leavell
OS: SuSE 9.1 with latest patches
I found the thread on using SuSE as a bridging firewall earlier this year but seem to be stuck.
Topology: Internet Side: xxx.xxx.xxx.1 (Default Gateway) (Cisco router)
Bridge: Defined bridge xxx.xxx.xxx.10 adding eth0 (connected to .1) and eth1 (LAN side). Default route defined as xxx.xxx.xxx.1
LAN Side: Test system xxx.xxx.xxx.29
I can ping .1, .10 and .29 from the bridge system and even surf the internet, etc. I can ping the bridge (.10) from the LAN side (.29) but cannot ping the gateway (.1). At this point there are no iptables rules in effect (iptables -L shows nothing) and SuSEfirewall2 is disabled.
Out of curiosity, why don't you make the "Bridge" system into a real linux firewall? You can have the linux box provide DHCP for a 192.168.x.x block (or a 10.x.x.x if you prefer) and stop virtually all attacks, rather than just syn and smurf... It's been years since I've seen anyone try to "bridge" two networks without real routing. SuSEfirewall2 has all you need for setting up the firewall and routing.
On Fri, 10 Sep 2004 suse@rio.vg wrote:
Quoting Lucky Leavell
: OS: SuSE 9.1 with latest patches
I found the thread on using SuSE as a bridging firewall earlier this year but seem to be stuck.
Topology: Internet Side: xxx.xxx.xxx.1 (Default Gateway) (Cisco router)
Bridge: Defined bridge xxx.xxx.xxx.10 adding eth0 (connected to .1) and eth1 (LAN side). Default route defined as xxx.xxx.xxx.1
LAN Side: Test system xxx.xxx.xxx.29
I can ping .1, .10 and .29 from the bridge system and even surf the internet, etc. I can ping the bridge (.10) from the LAN side (.29) but cannot ping the gateway (.1). At this point there are no iptables rules in effect (iptables -L shows nothing) and SuSEfirewall2 is disabled.
Out of curiosity, why don't you make the "Bridge" system into a real linux firewall? You can have the linux box provide DHCP for a 192.168.x.x block (or a 10.x.x.x if you prefer) and stop virtually all attacks, rather than just syn and smurf...
That was my intention. First, I want to get the non-trivial bridging part to work before complicating things with the firewall part. One caveat: The LAN Side IP addresses are not "private" they have public IP addresses which must be accessible from the outside. Caveat #2: The gateway (router), bridge and LAN side are all on the same (public) subnet. Thank you, Lucky Leavell
Lucky Leavell wrote:
OS: SuSE 9.1 with latest patches
I found the thread on using SuSE as a bridging firewall earlier this year but seem to be stuck.
What is your goal? If you only want a transparent bridge-filter, you should not assign any IP to the eth's and the bridge. Just do a brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 (maybe you'll need to manually up the if's) and add iptables -A FORWARD -i br0 -o br0 -j ACCEPT and you should be set. Of course if the bridge filtering machine itself should be accessible it needs an IP address and correct routing/default gateway settings. But you don't have to have an ip on the bridge device nor on all if's in the bridge. Additional filtering can then be done by using -m physdev (see ebtables doc) because -i -o may become meaningless for packets traversing the bridge. Just add the usual LOG's before drop and you'll see whenever you miss a packet in the log file while building your firewall (assuming you do it yourself and not using SuSEFirewall) -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
participants (3)
-
Lucky Leavell
-
Rene Gallati
-
suse@rio.vg