[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Using 9.1 as Bridgin Firewall

Lucky Leavell wrote:
OS: SuSE 9.1 with latest patches

I found the thread on using SuSE as a bridging firewall earlier this year but seem to be stuck.

What is your goal? If you only want a transparent bridge-filter, you should not assign any IP to the eth's and the bridge.

Just do a
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

(maybe you'll need to manually up the if's)

and add

iptables -A FORWARD -i br0 -o br0 -j ACCEPT

and you should be set.

Of course if the bridge filtering machine itself should be accessible it needs an IP address and correct routing/default gateway settings. But you don't have to have an ip on the bridge device nor on all if's in the bridge.

Additional filtering can then be done by using -m physdev (see ebtables doc) because -i -o may become meaningless for packets traversing the bridge. Just add the usual LOG's before drop and you'll see whenever you miss a packet in the log file while building your firewall (assuming you do it yourself and not using SuSEFirewall)



     - -- ---- ----- -----/\/  René Gallati  \/\---- ----- --- -- -

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here