[leaf-user] Here is how to use Bering as a bridge with shorewall.
Hello, Over the weekend I setup Bering as a Bridge and used shorewall version 2.0 (from www.shorewall.net) for the firewall. As I didn't find out all the steps from the documentation online I thought I would send this message so others would have an easier time setting it up. To save money I opted to not buy a switch but instead add more NIC's into the router. So the topology looked like: -- -- | 192.168.1.10 | |[firewall/router]-> Internet | 192.168.1.254 -- -- | 192.168.1.20 The bridge acts at the ethernet level so the internal NIC's are not assigned an address. br0 is the bridge and it is assigned the IP address. Both machines can access the router at 192.168.1.254. Steps: 1. include the bridge.lrp package. 2. get and install the bridge.o module and install it into modules.lrp 3. download shorewall 2.0 from the shorewall website. (rename to shorewall.lrp and install on the disk) 4. configure the /etc/network/interfaces as normal for the external interface. be it DHCP or PPPOE, etc. Configure the bridge as follows: auto br0 iface br0 inet static address 192.168.1.254 masklen 24 netmask 255.255.255.0 broadcast 192.168.1.255 pre-up /sbin/ip link set eth1 up pre-up /sbin/ip link set eth2 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth1 pre-up /usr/sbin/brctl addif br0 eth2 bridge_ports eth1 eth2 Note the last line. It took me a while to figure it out but this limits the interfaces that participate in the bridge. In the bering user guide it has the "all" directive which makes the external interface participate in the bridge aswell which is not what is desired. 5. Configure shorewall as usual with two zones: loc and net. add the directive BRIDGING=Yes into shorewall.conf and in the /etc/shorewall/interfaces use the following line for the loc zone definition: loc br0 192.168.1.255 routeback. 6. if you want the two machines to be able to communicate to eachother you also have to add the following into the /etc/shorewall/policy file: loc loc ACCEPT I hope this information will be of help to someone, Mike --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
[EMAIL PROTECTED] wrote: Over the weekend I setup Bering as a Bridge and used shorewall version 2.0 (from www.shorewall.net) for the firewall. As I didn't find out all the steps from the documentation online I thought I would send this message so others would have an easier time setting it up. Shorewall 2.0 doesn't have any bridging capability that isn't available in earlier versions. So your instructions are equally valid for earlier versions of the software. The experimental bridge/firewall code for Shorewall needs to be added on top of 2.0 for full bridge functionality. See http://shorewall.net/bridge.html. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
Quoting Tom Eastep <[EMAIL PROTECTED]>: > [EMAIL PROTECTED] wrote: > > > Over the weekend I setup Bering as a Bridge and used shorewall version 2.0 > (from > > www.shorewall.net) for the firewall. As I didn't find out all the steps > from > > the documentation online I thought I would send this message so others > would > > have an easier time setting it up. > > Shorewall 2.0 doesn't have any bridging capability that isn't available > in earlier versions. So your instructions are equally valid for earlier > versions of the software. > > The experimental bridge/firewall code for Shorewall needs to be added on > top of 2.0 for full bridge functionality. See > http://shorewall.net/bridge.html. I see I misread the shorewall requirement line on that page. What extra does full bridge functionaliy give? I don't completely understand how briding works, just how I made it work with shorewall and bering. The bering user guide said that bridging and shorewall don't work which is why I assumed that shorewall 2.0 had been the difference. Regards, Mike --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: > > I see I misread the shorewall requirement line on that page. What extra does > full bridge functionaliy give? > > I don't completely understand how briding works, just how I made it work with > shorewall and bering. The bering user guide said that bridging and shorewall > don't work which is why I assumed that shorewall 2.0 had been the difference. > I make the statement that Shorewall doesn't work with bridging because prior to the availability of the experimental code, it was not possible to associate a Shorewall zone with a bridge port. Nevertheless, as you and others have discovered, it is possible to associate a zone with the bridge itself and using ip-address or MAC filtering, it is even possible to control traffic through the bridge. The new bridge code which will be released in Shorewall 2.0.1 will allow you to associate zones with bridge ports. That is made possible by the fact that the physdev match capability is available as a standard part of the 2.6 kernels (it is still an add-on under 2.4). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
I have a few questions regarding this... Now, if I have this figured correctly, the bridge is transparent to your ISP, so you would need another host behind the bridge to have an address, correct? The use I have in mind would be statically assigned. Also, I would expect the bridge still to work without having an IP assigned to the bridge (if the only reason to have the IP is for management) if you connect via serial cable for management, right? Finally, the firewalling aspect of the bridge only works in the FORWARD chain, right? DNAT and SNAT and all that won't work correctly would it? All I want to do is have the bridge do some rough filtering for me, alot of the background noise such as SQL sweeps and backdoor checking. Perhaps an IDS such as Snort, but I don't know yet. Thanks, Tony Tom Eastep wrote: On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: I see I misread the shorewall requirement line on that page. What extra does full bridge functionaliy give? I don't completely understand how briding works, just how I made it work with shorewall and bering. The bering user guide said that bridging and shorewall don't work which is why I assumed that shorewall 2.0 had been the difference. I make the statement that Shorewall doesn't work with bridging because prior to the availability of the experimental code, it was not possible to associate a Shorewall zone with a bridge port. Nevertheless, as you and others have discovered, it is possible to associate a zone with the bridge itself and using ip-address or MAC filtering, it is even possible to control traffic through the bridge. The new bridge code which will be released in Shorewall 2.0.1 will allow you to associate zones with bridge ports. That is made possible by the fact that the physdev match capability is available as a standard part of the 2.6 kernels (it is still an add-on under 2.4). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
On Mon, 15 Mar 2004, Tony wrote: > Now, if I have this figured correctly, the bridge is transparent to your > ISP, so you would need another host behind the bridge to have an > address, correct? The use I have in mind would be statically assigned. It could also be dynamically assigned. Although the usual application of a bridge/firewall would be BEHIND a local router. See http://www.shorewall.net/bridge.html. > Also, I would expect the bridge still to work without having an IP > assigned to the bridge (if the only reason to have the IP is for > management) if you connect via serial cable for management, right? Please follow the progress of testing of the bridging code on the Shorewall development list. It was recently reported that > > Finally, the firewalling aspect of the bridge only works in the FORWARD > chain, right? DNAT and SNAT and all that won't work correctly would > it? Well, DNAT and SNAT work but only within the confines of a bridge. Remember that a bridge has no (or a trivial) routing table. For example, I'm running Squid as a transparent proxy on my bridge. See http://shorewall.net/myfiles.htm. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
I had bridgeing working with shorewall 1.?? and Bering-uClibc (something) about a year ago, when I was too stingy to buy a switch. (P90 + 2 ISA NE2000 compatible cards for the lan plus a dialup modem to the internet) I ended up just replacing ppp0 in all the shorewall config files with br0 and it worked like a charm. I needed a couple of other entries to allow my 2 PC's to transfer data to each other when the modem link was down. > On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: > > > > > I see I misread the shorewall requirement line on that page. What extra does > > full bridge functionaliy give? > > > > I don't completely understand how briding works, just how I made it work with > > shorewall and bering. The bering user guide said that bridging and shorewall > > don't work which is why I assumed that shorewall 2.0 had been the difference. > > > > I make the statement that Shorewall doesn't work with bridging because > prior to the availability of the experimental code, it was not possible to > associate a Shorewall zone with a bridge port. Nevertheless, as you and > others have discovered, it is possible to associate a zone with the bridge > itself and using ip-address or MAC filtering, it is even possible to > control traffic through the bridge. > > The new bridge code which will be released in Shorewall 2.0.1 will allow > you to associate zones with bridge ports. That is made possible by the > fact that the physdev match capability is available as a standard part of > the 2.6 kernels (it is still an add-on under 2.4). > > -Tom > -- > Tom Eastep\ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
On Mon, 2004-03-15 at 18:16, Tony wrote: > I have a few questions regarding this... > > Now, if I have this figured correctly, the bridge is transparent to your > ISP, so you would need another host behind the bridge to have an > address, correct? The use I have in mind would be statically assigned. Typically there are hosts with addresses on both sides of the bridge. > > Also, I would expect the bridge still to work without having an IP > assigned to the bridge (if the only reason to have the IP is for > management) if you connect via serial cable for management, right? A bridge doesn't have to have an IP, though perhaps you can't use Shorewall without one. > > Finally, the firewalling aspect of the bridge only works in the FORWARD > chain, right? DNAT and SNAT and all that won't work correctly would > it? All I want to do is have the bridge do some rough filtering for me, > alot of the background noise such as SQL sweeps and backdoor checking. > Perhaps an IDS such as Snort, but I don't know yet. Take a look at ebtables.sourceforge.net, particularly http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html > > Thanks, > > Tony > --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
On Tuesday 16 March 2004 09:27 am, Richard Doyle wrote: > > A bridge doesn't have to have an IP, though perhaps you can't use > Shorewall without one. > The experimental Shorewall bridge code has now been successfully tested with a bridge that doesn't have an IP address. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html