Thanks to all. This was the biggy. It is actually REALLY simple. http://bridge.sourceforge.net/docs/bridge-firewall-ipchains.html Basically says use rules on the 'bridge' interface, not ethX interface. D'oh!
-----Original Message----- From: Ulrich Keil [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 5:29 PM To: Security-Basics (E-mail) Subject: Re: ipchains and bridging On Mon, Jul 08, 2002 at 10:11:44AM -0400, Chris Santerre wrote: > I have a firewall I have been working on. 3 NICs. I have real IP addresses > for the outside NIC, DMZ NIC, and servers in the DMZ. I used bridging to get > packets from the internet to the servers in the DMZ. Here is the problem. > Bridging seems to be at a lower level then packet filtering. I can't filter > anything coming IN to the DMZ, only out. It works, and stops everything, but > it is NOT the best setup at all!!! I am well aware of ways to attempt to > comprimise the servers in the DMZ. A DOS or ping of death could work easily. > Any thoughts on how to go about fixing this, or have I doomed myself using > bridging? Linux BRIDGE-STP-HOWTO: http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/rules-on-bridging.html Section 4: "-A bridge knows nothing about higher protocols than ARP" Means: It is normally not possible to filter packets on a bridge ... but ... There is a patch available to make ipchains/iptables work on a bridge http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/advanced-bridge.html#IPCHAINS http://bridge.sourceforge.net/download.html > Should I have virtually hosted the WEB and EMAIL server on the outside NIC > of the firewall, and ipportfwd them to DMZ machines on a 192.x.x.x network? I prefer this option, because you normally don't have any advantages using a bridge against using NAT. Ulrich -- http://www.der-keiler.de PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD Public key available at http://www.der-keiler.de/uk/pgp-key.asc -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s-:- a-- C++ UL+++ P++ L+++ E--- W+++ N++ o- K- w-- O- M- V- PS PE Y+ PGP++ t+ 5 X R tv b+ DI- D++ G e h-- r++ y+ ------END GEEK CODE BLOCK------
