Re: stealth bridge -- will this work?
From: Eirik Seim (eirik@peter.mi.uib.no)Date: 02/12/02
- Next message: Cedric Blancher: "Re: iptables and port scan"
- Previous message: Lutz Donnerhacke: "Re: iptables and port scan"
- In reply to: Jon Thor Williams: "Re: stealth bridge -- will this work?"
- Next in thread: Splatter: "Re: stealth bridge -- will this work?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: eirik@peter.mi.uib.no (Eirik Seim) Date: 12 Feb 2002 13:08:09 GMT
In article <GHT88.155$lK1.7148@sjc-read.news.verio.net>, Jon Thor Williams
wrote:
> Erik, you claim that this will work but I do not necessarily see a way to
> get that LinkSys router to do advanced configuration like this... I have
> the LinkSys 4 port DSL router that just came out. I want both of my
> machines at home to each have one external public static ip address... and i
> want the firewall to be a transparent bridge.
>
> i know that this can be done with BSD or linux, but i want a simpler/smaller
> solution.
Uh-oh, I noticed the "but" here just after finishing off the comments below.
You want a transparent bridging firewall, and you want Windows to do it?
Installing FreeBSD can be done in a cookbook-manner, you don't really have
to learn anything if you don't want to. Boot from the CD, select "Skip
kernel config ..", change the keymap by selecting "keymap" if needed,
otherwise go straight for the Standard Install. You might need to select
which hard drive to install on, and "minimal install", but otherwise simply
go for the default values, and you should have no problems.
..but I don't know of any other way than with bsd and probably also linux.
> do you still think it is possible?
I'm not quite sure what causes your confusion.. this is called "advanced
firewalling", but its not really that difficult. At least, from a BSD-ish
point of view :)
A firewall is supposed to be a choke point for the network traffic, thus
if you want to use a bridging firewall, you'll only be able to use _one_
of the "internal" ports on your DSL router, unless you are building several
transparent bridges. You can of cause use these extra ports as a sort of
DMZ, but that's another story.
[ Internet ] -> [ LinkSys ] -> [ Bridging firewall ] -> [ Hub ]
This is how it should be done, both your machines at home will be connected
to the hub (or switch, or whatever, also including a more advanced bridging
firewall with several interfaces, which will equal a switch, essentially),
and thus protected by the bridging firewall.
Most likely, you'll be dealing with three IP addresses (public, static),
one at the internal interface of your router (default gateway for your
internal machines), and one on each of your two machines.
For the initial setup, you should enable the bridge without any firewalling
first, and then, _after_ verifying that everything works just fine, enable
the packet filters. Since the bridge has no (need for) ip addresses, any
connections that are not allowed will time out. There will never be a
"connection denied" message, which can make troubleshooting a pain.
The really neat part about this kind of firewalling is that you do not need
to reconfigure your network settings at all. Not on your LinkSys router,
and not on any of your computers. It's just like a switch, you simply
connect one cable to your linksys and one to your hub, and you're online.
The _only_ problem I've run into with these kind of configurations are when
the rulesets allow more from the inside than the outside (and they often do),
and somebody connects the external network to the internal interface, and
vice versa. Make sure you label your cables and interfaces well :)
Hope this helps, even though I wrote mostly before fully understanding the
"smaller/simpler" part...
- Eirik
-- Eirik Seim System Administrator eirik.seim@mi.uib.no Math. Department http://www.mi.uib.no/~eirik University of Bergen
- Next message: Cedric Blancher: "Re: iptables and port scan"
- Previous message: Lutz Donnerhacke: "Re: iptables and port scan"
- In reply to: Jon Thor Williams: "Re: stealth bridge -- will this work?"
- Next in thread: Splatter: "Re: stealth bridge -- will this work?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
