|
I put a bridging firewall together last winter
(with some help) and have it in production in front of a couple windows web and
mail servers for going on 6 months now. I used Fedora C1 with 2.4.22 kernel and
0.9.6 bridge-utils. The bridge has solved a lot of security headaches. I
use a modified startup script written by David Whitmarsh that has worked really
well. http://www.sparkle-cc.co.uk/firewall/rc.firewall.sh.txt
Now that Fedora C2 has the 2.6 kernel (2.6.5-1.358)
I figured I'd try it on a test machine. I loaded the 0.9.6 bridge-utils rpm that
came with it, for simplicity, and double checked the networking files to make
sure eth0 and eth1 were set up correctly without IPs. I then ran these commands
in bash and the bridge came up perfectly.
-------------------------------------
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
ifconfig br0 192.168.1.14 up
--------------------------------------- I could see across the bridge from both sides, and
thought this is too easy. Then I dropped the startup script I've been using in
/etc/rc.d and started running into problems. I found out modules are handled a
little differently now (modutils to module-init-tools) so the iptables has to be
handled a little differently. But what's got me is the errors popping up when
trying to start the bridge from this script I'm testing with (syntax
OK)
--------------------------------------
#!/bin/sh
BR_IP="192.168.1.14" BR_IFACE=br0
INET_IFACE="eth1" LAN_IFACE="eth0" # brctl addbr $BR_IFACE brctl addif $BR_IFACE $INET_IFACE brctl addif $BR_IFACE $LAN_IFACE ifconfig $INET_IFACE 0.0.0.0 ifconfig $LAN_IFACE 0.0.0.0 ifconfig $BR_IFACE up --------------------------------------
which works fine with the 2.4 kernel but errors out
with
--------------------------------------
[EMAIL PROTECTED] root]# sh
/etc/rc.d/rc.bridge
SIOCSIFADDR: No such device : unknown interface: No such device SIOCSIFADDR: No such device : unknown interface: No such device doesn't exist! doesn't exist! : Host name lookup failure ifconfig: `--help' gives usage
information.
--------------------------------------
on this test box. I believe this is a similar
problem to the one noted a few days ago by Harald K�the http://lists.osdl.org/pipermail/bridge/2004-June/000382.html (although
I'm using the 0.9.6 bridge-utils) regarding where SIOCGIFCONF only lists
interfaces that have IP addresses. I tried adding IPADDR=0.0.0.0 to ifcfg-eth0
and ifcfg-eth1 but it had no effect. Fedora uses glibc so the patch for uClibc
wasn't useful. What I don't understand is how the same commands can be typed
into a shell, but won't work in the script?
Pardon my ignorance, as I'm just learning Linux and
trying to muddle my way through, but any pointers would be appreciated. I'd also
appreciate any suggestions on how to handle the iptables rules in a startup
script.
Thank you,
Jim
|
_______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://lists.osdl.org/mailman/listinfo/bridge
