Using kernel 2.2, I run a bridge, that handles packet filtering with ipchains.
Patches are available here: http://www.ac2i.tzo.com/bridge_filter/ James wrote: > > That link might help... > http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html > > - James > > -----Original Message----- > From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 22, 2001 1:31 PM > To: Debian Security List > Subject: Re: Firewall Related Question > > On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: > > I'd recommend the former (firewalling on each server). This will let you > > customize the firewall for that server alone, and spread the packet > > filtering load and logging. Also, with no access the Cisco box, you'd > > have to either MASQ or SNAT with proxy arps if you do insert a firewall > > into the packet path to get the traffic to cross the firewall. (The Cisco > > is going to assume that the subnet with the DMZ address space is still > > directly attached.) > With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice > IMO), put two ethernet cards in a box, one to cisco, second to switch > with Debian servers, no need for an IP address at the bridge, just > bridge and firewall. > > I'm not sure if Linux can do this, maybe there are some patches for > iptables to do it? > > > On Mon, 22 Oct 2001, James wrote: > > > > > Yes, you could definitely do a firewall on each server. > > > > > > Also, have you considered setting up a 4th machine between the Cisco and > 3 > > > servers? That could work also. You wouldn't make it a masq box, just > > > configure it to pass packets based on the rules. > > > > > > - James > > > > > > -----Original Message----- > > > From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, October 22, 2001 6:58 AM > > > To: Debian Security List > > > Subject: Re: Firewall Related Question > > > > > > > > > On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: > > > > I've got some simple questions related to using a Firewall on > > > > some single pubblic Debian Boxes, I choose to post my questions > > > > here because I've always securitty in mind during the Developing > > > > time of my Network Services. > > > > > > > > Let me asume I've got a simple Network with 3 Pubblic Debian > > > > Servers and 1 Cisco Router (Internet Gateway). > > > > > > > > The router belongs to my Connection ISP so I can't configure it, > > > > but onlu use it for Internet connectivity. > > > > > > > > The 3 Debian Boxes are under my full control. > > > > > > > > The best way to protect my Debian Servers would be to install > > > > a Firewall on my Gateway (Cisco Router) but actually I can't, > > > > so my question is: Can I install a Firewall on each of my Debian > > > > Boxes to filter/block incoming and outgoing Network Traffic ? > > > > > > > > Is this a good choice ? or should I put another machine in my > > > > Network, between the Gateway and the Servers, which acts as Firewall ? > > > You can just configure a packet filter on all your servers, the main > > > disadvantage is that it's more difficult to administer > -- > ,-------------------------------------------. > > Name: Alson van der Meulen < > > Personal: [EMAIL PROTECTED] < > > School: [EMAIL PROTECTED] < > `-------------------------------------------' > I remember the last time I saw it do that... > --------------------------------------------- > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > ------------------------------------------------------------------------ > Name: Linux Bridge+Firewall >Mini-HOWTO version 1.2.0.url > Linux Bridge+Firewall Mini-HOWTO version 1.2.0.url Type: unspecified type >(application/octet-stream) > Encoding: quoted-printable J.R. Blain http://www.clockmedia.com/ -- Real programmers use chmod +x /dev/random and cross their fingers -- Comment found in a vi/emacs flamewar on slashdot. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
