IP access restriction

Ow Mun Heng Ow.Mun.Heng at wdc.com
Thu Oct 14 02:25:19 UTC 2004


On Wed, 2004-10-13 at 21:24, Nigel Wade wrote:
> Rick Lim wrote:
> 
> What's the network topology? If it's possible to insert a single device in 
> the network which carries all traffic then it is possible to add a bridging 
> firewall.

I am piqued. I know I can possibly google for it.. but I don't have
access to I-net right now.

So, for a bridging firewall to work, how is the connection supposed to
be?

Say.. (horrible ASCII art)

before
--net--[ router ] ----------------int_network

Now
--net- [ 	router       ] - int_network
	   |__ bridg-fw__|

OR??
--net- [ 	router       ] - int_network
	   |		       |
	   |__ bridg-fw__|


> then you add ethernet cards to the bridge (you can have multiple cards in 
> each segment, and the bridging software uses spanning-tree to provide 
> redundancy). For 2 cards, eth0 and eth1, with 1 in each segment you would do:
> 
> # brctl addif nameOfBridgeInterface eth0
> # brctl addif nameOfBridgeInterface eth1
> 
> then put the cards in promiscuous mode (they need to accept all packets):
> 
> # ifconfig eth0 promisc 0.0.0.0
> # ifconfig eth1 promisc 0.0.0.0
> 
> then, if you want to be able to connect to the bridge, you create a network 
> script for it, /etc/sysconfig/network-scripts/ifcfg-nameOfBridgeInterface
> 
> DEVICE=nameOfBridgeInterface
> BOOTPROTO=static
> BROADCAST=<your-network-broadcast-address>
> IPADDR=<bridge-IP>
> NETMASK=<your-network-netmask>
> NETWORK=<your-network-address>
> ONBOOT=yes
> TYPE=Ethernet
> USERCTL=no
> PEERDNS=no
> 
> The startup scripts will take care of everything else. Iptables rules can be 
> applied to the FORWARD chain for packets traversing the bridge, or to the 
> INPUT/OUTPUT chains for packets destined to/from the bridge itself. You can 
> also add rules for each card.
> 
> You should not have any network initialization on eth0 or eth1, the bridge 
> rules above do the necessary work, activating the card in promiscuous mode 
> and assigning no IP.

I thought your script above denotes that we create a IP address for the
bridge? (/etc/sysconfig/network-scripts/ifcfg-nameOfBridgeInterface)


-- 
Ow Mun Heng
Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel
2.6.7-2.jul1-interactive 
Neuromancer 10:19:51 up 51 min, 6 users, load average: 0.01, 0.15, 0.41 




More information about the fedora-list mailing list