[fw-wiz] Linux Bridge/Firewall
From: Chris Ditri (chrisd_at_better-investing.org)
To: <email@example.com> Date: Wed, 26 Nov 2003 16:03:57 -0500
I have successfully built my linux bridge.
I wish to use it as the outside machine in a DMZ, so I want it not only to
allow packets through without augmentation, but to only allow packets from
certain external machines on certain ports to certain protected machines on
certain ports -- and reject all other traffic.
I have an example running now, where I put my lists server behind this
machine, and it seems to work pretty well so far.. but I know there are more
eloquent ways of doing what I have done.
I am using iptables. I set the INPUT chain to ACCEPT. I set the OUTPUT chain
to ACCEPT. I set the FORWARD chain to DROP, then made my exceptions on the
forward chain for the ports and machine in question.
Everything is basically on the forward chain.
Normally, I split up the packets into 3 chains, one for udp, one for tcp, etc.
etc. This is supposed to decrease the overhead by not running everything
though one chain. It minimizes processing. Should something like this be
implemented on my bridge/firewall? (logically splitting traffic into
Should I try to set my INPUT and OUTPUT to DROP, and make exceptions? Or is
it safe to leave it alone?
Should I bag the whole thing and use ebtables (something I am completely
unfamiliar with). I personally don't see why I would want to do this... I
don't know if I have a need to block and allow based upon mac address...
I appreciate any suggestions.
firewall-wizards mailing list