Building a Bridging Firewall with Linux

    Date27 Mar 2001
    CategoryFirewalls
    4489
    Posted ByAnthony Pell
    UPDATE: Dave V. sent in a few comments about the inaccuracies of this article. Please warn your readers about the numberous flaws in the Bridging Firewall article. The overall architecture of the solution was unecessary and incorrect, and the ip-chains script had more errors in it than I care to list here. . . . UPDATE: Dave V. sent in a few comments about the inaccuracies of this article. Please warn your readers about the numberous flaws in the Bridging Firewall article. The overall architecture of the solution was unecessary and incorrect, and the ip-chains script had more errors in it than I care to list here. If an inexperienced user were to use this as a model for his firewall, it would result in an extremely FALSE sense of security. Please review the articles that you link to more carefully.

    Dave V.

    PS Other than that, great job! I love the site.

    The Linux kernels v2.2 and higher have support for Ethernet bridging. In a bridge, all packets received by one interface are passed to the other, without regard to source or destination IP address, by examining the Ethernet MAC destination address of the packet. AC2I, a French company, distributes a kernel patch that allows the ipchains packet filter to work on the bridged interfaces. This configuration allows you to set up a firewall system that is invisible to the Internet, yet provides a high level of protection and access control for your private network. The remainder of this article explains the steps necessary to get a bridging firewall up and running.

    A filtering bridge is useful in a number of situations. It is a quick and easy way to add a firewall to an existing LAN without having to change any IP addresses or use NAT. It can also be used to create protected or restricted subnets on a LAN. For example, if you have frequent visitors who need Internet access, you can put them behind a bridging firewall configured to allow them access to the Internet, but not to any hosts on your LAN. It can be used to protect a DSL or cable modem connection. Since the bridge interfaces do not run an IP protocol stack, they are immune from many of the common intrusion and denial-of-service attacks.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"5","type":"x","order":"1","pct":83.33,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.