Re: ipchains and bridging

From: Ulrich Keil (
Date: 07/08/02

Date: Mon, 8 Jul 2002 23:28:37 +0200
From: Ulrich Keil <>
To: "Security-Basics (E-mail)" <>

On Mon, Jul 08, 2002 at 10:11:44AM -0400, Chris Santerre wrote:
> I have a firewall I have been working on. 3 NICs. I have real IP addresses
> for the outside NIC, DMZ NIC, and servers in the DMZ. I used bridging to get
> packets from the internet to the servers in the DMZ. Here is the problem.
> Bridging seems to be at a lower level then packet filtering. I can't filter
> anything coming IN to the DMZ, only out. It works, and stops everything, but
> it is NOT the best setup at all!!! I am well aware of ways to attempt to
> comprimise the servers in the DMZ. A DOS or ping of death could work easily.
> Any thoughts on how to go about fixing this, or have I doomed myself using
> bridging?


Section 4:

"-A bridge knows nothing about higher protocols than ARP"

Means: It is normally not possible to filter packets on a bridge ... but ...

There is a patch available to make ipchains/iptables work on a bridge

> Should I have virtually hosted the WEB and EMAIL server on the outside NIC
> of the firewall, and ipportfwd them to DMZ machines on a 192.x.x.x network?

I prefer this option, because you normally don't have any advantages
using a bridge against using NAT.


PGP Fingerprint: 5FA4 4C01 8D92 A906 E831  CAF1 3F51 8F47 1233 9AAD
Public key available at

-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s-:- a-- C++ UL+++ P++ L+++ E--- W+++ N++ o- K- w-- O- M- V- PS PE Y+ PGP++ t+ 5 X R tv b+ DI- D++ G e h-- r++ y+ ------END GEEK CODE BLOCK------