Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
On Mon, 2004-03-15 at 18:16, Tony wrote: I have a few questions regarding this... Now, if I have this figured correctly, the bridge is transparent to your ISP, so you would need another host behind the bridge to have an address, correct? The use I have in mind would be statically assigned. Typically there are hosts with addresses on both sides of the bridge. Also, I would expect the bridge still to work without having an IP assigned to the bridge (if the only reason to have the IP is for management) if you connect via serial cable for management, right? A bridge doesn't have to have an IP, though perhaps you can't use Shorewall without one. Finally, the firewalling aspect of the bridge only works in the FORWARD chain, right? DNAT and SNAT and all that won't work correctly would it? All I want to do is have the bridge do some rough filtering for me, alot of the background noise such as SQL sweeps and backdoor checking. Perhaps an IDS such as Snort, but I don't know yet. Take a look at ebtables.sourceforge.net, particularly http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html Thanks, Tony --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
[EMAIL PROTECTED] wrote: Over the weekend I setup Bering as a Bridge and used shorewall version 2.0 (from www.shorewall.net) for the firewall. As I didn't find out all the steps from the documentation online I thought I would send this message so others would have an easier time setting it up. Shorewall 2.0 doesn't have any bridging capability that isn't available in earlier versions. So your instructions are equally valid for earlier versions of the software. The experimental bridge/firewall code for Shorewall needs to be added on top of 2.0 for full bridge functionality. See http://shorewall.net/bridge.html. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
Quoting Tom Eastep [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: Over the weekend I setup Bering as a Bridge and used shorewall version 2.0 (from www.shorewall.net) for the firewall. As I didn't find out all the steps from the documentation online I thought I would send this message so others would have an easier time setting it up. Shorewall 2.0 doesn't have any bridging capability that isn't available in earlier versions. So your instructions are equally valid for earlier versions of the software. The experimental bridge/firewall code for Shorewall needs to be added on top of 2.0 for full bridge functionality. See http://shorewall.net/bridge.html. I see I misread the shorewall requirement line on that page. What extra does full bridge functionaliy give? I don't completely understand how briding works, just how I made it work with shorewall and bering. The bering user guide said that bridging and shorewall don't work which is why I assumed that shorewall 2.0 had been the difference. Regards, Mike --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: I see I misread the shorewall requirement line on that page. What extra does full bridge functionaliy give? I don't completely understand how briding works, just how I made it work with shorewall and bering. The bering user guide said that bridging and shorewall don't work which is why I assumed that shorewall 2.0 had been the difference. I make the statement that Shorewall doesn't work with bridging because prior to the availability of the experimental code, it was not possible to associate a Shorewall zone with a bridge port. Nevertheless, as you and others have discovered, it is possible to associate a zone with the bridge itself and using ip-address or MAC filtering, it is even possible to control traffic through the bridge. The new bridge code which will be released in Shorewall 2.0.1 will allow you to associate zones with bridge ports. That is made possible by the fact that the physdev match capability is available as a standard part of the 2.6 kernels (it is still an add-on under 2.4). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
I have a few questions regarding this... Now, if I have this figured correctly, the bridge is transparent to your ISP, so you would need another host behind the bridge to have an address, correct? The use I have in mind would be statically assigned. Also, I would expect the bridge still to work without having an IP assigned to the bridge (if the only reason to have the IP is for management) if you connect via serial cable for management, right? Finally, the firewalling aspect of the bridge only works in the FORWARD chain, right? DNAT and SNAT and all that won't work correctly would it? All I want to do is have the bridge do some rough filtering for me, alot of the background noise such as SQL sweeps and backdoor checking. Perhaps an IDS such as Snort, but I don't know yet. Thanks, Tony Tom Eastep wrote: On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: I see I misread the shorewall requirement line on that page. What extra does full bridge functionaliy give? I don't completely understand how briding works, just how I made it work with shorewall and bering. The bering user guide said that bridging and shorewall don't work which is why I assumed that shorewall 2.0 had been the difference. I make the statement that Shorewall doesn't work with bridging because prior to the availability of the experimental code, it was not possible to associate a Shorewall zone with a bridge port. Nevertheless, as you and others have discovered, it is possible to associate a zone with the bridge itself and using ip-address or MAC filtering, it is even possible to control traffic through the bridge. The new bridge code which will be released in Shorewall 2.0.1 will allow you to associate zones with bridge ports. That is made possible by the fact that the physdev match capability is available as a standard part of the 2.6 kernels (it is still an add-on under 2.4). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Here is how to use Bering as a bridge with shorewall.
I had bridgeing working with shorewall 1.?? and Bering-uClibc (something) about a year ago, when I was too stingy to buy a switch. (P90 + 2 ISA NE2000 compatible cards for the lan plus a dialup modem to the internet) I ended up just replacing ppp0 in all the shorewall config files with br0 and it worked like a charm. I needed a couple of other entries to allow my 2 PC's to transfer data to each other when the modem link was down. On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: I see I misread the shorewall requirement line on that page. What extra does full bridge functionaliy give? I don't completely understand how briding works, just how I made it work with shorewall and bering. The bering user guide said that bridging and shorewall don't work which is why I assumed that shorewall 2.0 had been the difference. I make the statement that Shorewall doesn't work with bridging because prior to the availability of the experimental code, it was not possible to associate a Shorewall zone with a bridge port. Nevertheless, as you and others have discovered, it is possible to associate a zone with the bridge itself and using ip-address or MAC filtering, it is even possible to control traffic through the bridge. The new bridge code which will be released in Shorewall 2.0.1 will allow you to associate zones with bridge ports. That is made possible by the fact that the physdev match capability is available as a standard part of the 2.6 kernels (it is still an add-on under 2.4). -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
