[fw-wiz] Linux Bridge/Firewall

• Previous message: Paul Robertson: "Re: [fw-wiz] Dynamic routing on a firewall"
• Next in thread: Christopher Hicks: "Re: [fw-wiz] Linux Bridge/Firewall"
• Reply: Christopher Hicks: "Re: [fw-wiz] Linux Bridge/Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Wed, 26 Nov 2003 16:03:57 -0500

Hello Everyone,

I have successfully built my linux bridge.

I wish to use it as the outside machine in a DMZ, so I want it not only to
allow packets through without augmentation, but to only allow packets from
certain external machines on certain ports to certain protected machines on
certain ports -- and reject all other traffic.

I have an example running now, where I put my lists server behind this
machine, and it seems to work pretty well so far.. but I know there are more
eloquent ways of doing what I have done.

I am using iptables. I set the INPUT chain to ACCEPT. I set the OUTPUT chain
to ACCEPT. I set the FORWARD chain to DROP, then made my exceptions on the
forward chain for the ports and machine in question.

Everything is basically on the forward chain.

My questions:

Normally, I split up the packets into 3 chains, one for udp, one for tcp, etc.
etc. This is supposed to decrease the overhead by not running everything
though one chain. It minimizes processing. Should something like this be
implemented on my bridge/firewall? (logically splitting traffic into
chains).

Should I try to set my INPUT and OUTPUT to DROP, and make exceptions? Or is
it safe to leave it alone?

Should I bag the whole thing and use ebtables (something I am completely
unfamiliar with). I personally don't see why I would want to do this... I
don't know if I have a need to block and allow based upon mac address...

I appreciate any suggestions.

Thanks.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul Robertson: "Re: [fw-wiz] Dynamic routing on a firewall"
• Next in thread: Christopher Hicks: "Re: [fw-wiz] Linux Bridge/Firewall"
• Reply: Christopher Hicks: "Re: [fw-wiz] Linux Bridge/Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: are these good iptables rules? ... >>Marc Greene wrote: ... > my machine remotely on several ports I have services on, ... > Does the LOG target allow or drop packets? ... > wouldn't with a user-defined chain like the one you recommend?). ... (comp.os.linux.security) Re: are these good iptables rules? ... >> my machine remotely on several ports I have services on, ... >> Does the LOG target allow or drop packets? ... >> wouldn't with a user-defined chain like the one you recommend?). ... but they might later get accepted by the state rule. ... (comp.os.linux.security) Re: block CodeRed/Nimda at the firewall? ... I don't think it would help sending out icmp packets ... I only send UDP and TCP packets to the LOGREJECT ... I drop some of those early in my INPUT chain. ... I have a few ports where I DROP instead of using ... (comp.os.linux.security) Re: iptables and dhcp ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ... (comp.os.linux.networking) Re: 2.6.18 forcedeth GSO panic on send ... I run tcpserver ... Chain INPUT (policy ACCEPT 20 packets, ... (Linux-Kernel)