Re: ipchains and bridgingFrom: Ulrich Keil (email@example.com)
- Previous message: Darren Young: "RE: Password Strength III (?)"
- In reply to: Chris Santerre: "ipchains and bridging"
- Next in thread: Chris Santerre: "RE: ipchains and bridging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 8 Jul 2002 23:28:37 +0200 From: Ulrich Keil <firstname.lastname@example.org> To: "Security-Basics (E-mail)" <email@example.com>
On Mon, Jul 08, 2002 at 10:11:44AM -0400, Chris Santerre wrote:
> I have a firewall I have been working on. 3 NICs. I have real IP addresses
> for the outside NIC, DMZ NIC, and servers in the DMZ. I used bridging to get
> packets from the internet to the servers in the DMZ. Here is the problem.
> Bridging seems to be at a lower level then packet filtering. I can't filter
> anything coming IN to the DMZ, only out. It works, and stops everything, but
> it is NOT the best setup at all!!! I am well aware of ways to attempt to
> comprimise the servers in the DMZ. A DOS or ping of death could work easily.
> Any thoughts on how to go about fixing this, or have I doomed myself using
"-A bridge knows nothing about higher protocols than ARP"
Means: It is normally not possible to filter packets on a bridge ... but ...
There is a patch available to make ipchains/iptables work on a bridge
> Should I have virtually hosted the WEB and EMAIL server on the outside NIC
> of the firewall, and ipportfwd them to DMZ machines on a 192.x.x.x network?
I prefer this option, because you normally don't have any advantages
using a bridge against using NAT.
-- http://www.der-keiler.de PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD Public key available at http://www.der-keiler.de/uk/pgp-key.asc
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s-:- a-- C++ UL+++ P++ L+++ E--- W+++ N++ o- K- w-- O- M- V- PS PE Y+ PGP++ t+ 5 X R tv b+ DI- D++ G e h-- r++ y+ ------END GEEK CODE BLOCK------
- application/pgp-signature attachment: stored