Re: ipchains and bridging

From: Ulrich Keil (ulrich@der-keiler.de)
Date: 07/08/02 

Date: Mon, 8 Jul 2002 23:28:37 +0200
From: Ulrich Keil <ulrich@der-keiler.de>
To: "Security-Basics (E-mail)" <security-basics@securityfocus.com>

On Mon, Jul 08, 2002 at 10:11:44AM -0400, Chris Santerre wrote:
> I have a firewall I have been working on. 3 NICs. I have real IP addresses
> for the outside NIC, DMZ NIC, and servers in the DMZ. I used bridging to get
> packets from the internet to the servers in the DMZ. Here is the problem.
> Bridging seems to be at a lower level then packet filtering. I can't filter
> anything coming IN to the DMZ, only out. It works, and stops everything, but
> it is NOT the best setup at all!!! I am well aware of ways to attempt to
> comprimise the servers in the DMZ. A DOS or ping of death could work easily.
> Any thoughts on how to go about fixing this, or have I doomed myself using
> bridging?

Linux BRIDGE-STP-HOWTO:

http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/rules-on-bridging.html

Section 4:

"-A bridge knows nothing about higher protocols than ARP"

Means: It is normally not possible to filter packets on a bridge ... but ...

There is a patch available to make ipchains/iptables work on a bridge

http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/advanced-bridge.html#IPCHAINS
http://bridge.sourceforge.net/download.html

> Should I have virtually hosted the WEB and EMAIL server on the outside NIC
> of the firewall, and ipportfwd them to DMZ machines on a 192.x.x.x network?

I prefer this option, because you normally don't have any advantages
using a bridge against using NAT.

Ulrich 

-- 
http://www.der-keiler.de
PGP Fingerprint: 5FA4 4C01 8D92 A906 E831  CAF1 3F51 8F47 1233 9AAD
Public key available at http://www.der-keiler.de/uk/pgp-key.asc

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s-:- a-- C++ UL+++ P++ L+++ E--- W+++ N++ o- K- w--
O- M- V- PS PE Y+ PGP++ t+ 5 X R tv b+ DI- D++
G e h-- r++ y+
------END GEEK CODE BLOCK------

Relevant Pages

  • Weird DMZ PF bridge prob.
    ... I've setup a PF OBSD bridge for my DMZ, with public servers in the DMZ ... I log into my LAN via VPN remotely, & do RDP to my workstation from there. ...
    (comp.unix.bsd.openbsd.misc)
  • ipchains and bridging
    ... NICs. ... for the outside NIC, DMZ NIC, and servers in the DMZ. ... Bridging seems to be at a lower level then packet filtering. ...
    (Security-Basics)
  • RE: ipchains and bridging
    ... Basically says use rules on the 'bridge' interface, ... Subject: ipchains and bridging ... > for the outside NIC, DMZ NIC, and servers in the DMZ. ...
    (Security-Basics)
  • RE: ipchains and bridging
    ... Basically says use rules on the 'bridge' interface, ... Subject: ipchains and bridging ... > for the outside NIC, DMZ NIC, and servers in the DMZ. ...
    (Security-Basics)
  • Re: Dual NIC Card - Question
    ... Have you tried routing without anything enabled that is related to Routing and remote access. ... could enable or disable routing between the NICs. ... You could put a firewall in between your DMZ and the internal network and adjust your route table in the servers. ...
    (microsoft.public.windows.server.networking)