home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
BURKS 2
/
BURKS_AUG97.ISO
/
BURKS
/
LINUX
/
HOWTO
/
mini
/
brfwall.txt
< prev
next >
Wrap
Text File
|
1997-07-07
|
19KB
|
546 lines
Bridge+FIrewall mini-HOWTO, v1.1 by Peter Breuer Dec. 23, 1996
ptb@it.uc3m.es ptb@dit.upm.es ptb@eng.cam.ac.uk ptb@comlab.ox.ac.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You should look at the original Bridging mini-HOWTO by Chris Cole for a
different perspective on this. He is "chris@polymer.uakron.edu". The
version of his HOWTO that I have based this document on (alternatively,
ripped off) is 1.03 dated Aug 23 1996.
CONTENTS:
1.0) What and Why (and How?)
BRIDGING
1.1) Software
1.2) Prior Reading
1.3) Boot configuration
1.4) Kernel configuration
1.5) Network addresses
1.6) Network routing
1.7) Card configuration
1.8) Additional routing
1.9) Bridge configuration
1.10) Try it out
1.11) Checks
FIREWALLING
2.1) Software and reading
2.2) Preliminary checks
2.3) Default rule
2.4) Holes per address
2.5) Holes per protocol
2.6) Checks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
What:
A bridge is an intelligent connecting wire betwen two network cards. A
firewall is an intelligent insulator.
Why:
You might want a bridge if you have several computers:
a) to save the price of a new hub when you just happen to have an
extra ethernet card available.
b) to save the bother of learning how to do IP-forwarding and
other tricks when you _have_ two cards in your computer.
c) to avoid maintenance work in the future when things change
around!
"Several computers" might be as few as three if those are routing or
bridging or just moving around the room from time to time! You also
might want a bridge just for the fun of finding out what it does. b)
was what I wanted a bridge for.
If you are really interested in a), you have to be one of the very few.
Check the NET-2-HOWTO and the Serial-HOWTO for better tricks.
sunsite.unc.edu:/pub/Linux/docs/HOWTO/NET-2-HOWTO
sunsite.unc.edu:/pub/Linux/docs/HOWTO/Serial-HOWTO
You want a firewall if
a) you are trying to protect your network from external accesses, or
b) you are trying to deny access to the world outside from your
network.
Curiously, I needed b) here too. Policy at my university presently is
that we should not act as internet service providers to undergraduates.
How?
I started out bridging the two network cards in a firewalling machine
and ended up firewalling without having cut the bridge. It seems to
work and is more flexible than either configuration alone. I can take
down the firewall and keep bridging or take down the bridge when I want
to be more circumspect.
I would guess that the bridge code lives just above the physical device
layer and the firewalling code lives one layer higher up, so that the
bridging and firewalling configurations effectively act as though they
are running connected together "in sequence" and not "in parallel"
(ouch!). Diagram:
-> Bridge-in -> Firewall-in -> Kernel -> Firewall-out -> Bridge-out ->
There is no other way to explain how one machine can be a "conductor"
and an "insulator" at the same time. Anyway, it all seems to work
together nicely. Here is what you do ..
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
BRIDGING
1.1) Software
Get the bridge configuration utility from Alan Cox's home pages. This
is the same reference as in Chris' document. I just didn't realize that
it was an ftp and not an http URL ...
ftp://shadow.cabi.net/pub/Linux/BRCFG.tgz
1.2) Prior Reading.
Read the 'Multiple ethernet' HOWTO for some advice on getting more than
one network card recognized and configured.
sunsite.unc.edu:/pub/Linux/docs/HOWTO/mini/Multiple-Ethernet
Yet more details of the kind of boot magic that you may need are in the
boot parameter howto:
sunsite.unc.edu:/pub/Linux/docs/HOWTO/BootPrompt-HOWTO
You may be able to get away without the NET-2-HOWTO. It is a good long
read and you will have to pick from it the details you need.
sunsite.unc.edu:/pub/Linux/docs/HOWTO/NET-2-HOWTO
1.3) Boot configuration
The reading material above will tell you that you need to prepare the
kernel to recognize a second ethernet device at boot up by adding this
to your /etc/lilo.conf, and then re-run lilo:
append = "ether=0,0,eth1"
Note the "eth1". "eth0" is the first card. "eth1" is the second card.
You can always add the boot parameters in your response to the line that
lilo offers you. This is for three cards:
linux ether=0,0,eth1 ether=0,0,eth2
I use loadlin to boot my kernel from DOS:
loadlin.exe c:\vmlinuz root=/dev/hda3 ro ether=0,0,eth1 ether=0,0,eth2
Note that this trick makes the kernel probe at bootup. That will not
happen if you load the ethernet drivers as modules (for safety since the
probe order can't be determined) so if you use modules you will have to
add the appropriate IRQ and port parameters for the driver in your
/etc/conf.modules. I have at least
alias eth0 3c509
alias eth1 de620
options 3c509 irq=5 io=0x210
options de620 irq=7 bnc=1
You can tell if you use modules by using "ps -aux" to see if kerneld is
running and checking that there are .o files in a subdirectory of your
/lib/modules directory. You want the directory named with what uname -r
tells you. If you have kerneld and/or you have a foo.o then edit
/etc/conf.modules and read the man page for depmod carefully.
Note also that until recently (kernel 2.0.25) the 3c509 driver could not be
used for more than one card if used as a module. I have seen a patch
floating around that fixes the oversight. It may be in the kernel when
you read this.
1.4) Kernel configuration
Recompile the kernel with bridging enabled.
CONFIG_BRIDGE=y
I also compiled with firewalling and IP-forwarding and -masquerading and
the rest enabled. Only if you want firewalling too ...
CONFIG_FIREWALL=y
CONFIG_NET_ALIAS=y
CONFIG_INET=y
CONFIG_IP_FORWARD=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_VERBOSE=y
CONFIG_IP_MASQUERADE=y
You don't need all of this. What you do need apart from this is the
standard net configuration:
CONFIG_NET=y
and I do not think you need worry about any of the other networking
options. I have any options that I did not actually compile into
the kernel available through kernel modules that I can add in later.
Install the new kernel in place, rerun lilo and reboot with the new kernel.
Nothing should have changed at this point!
1.5) Network addresses
Chris says that a bridge should not have an IP address but that is not
the setup to be described here.
You are going to want to use the machine for connecting to the net so
you need an address and you need to make sure that you have the loopback
device configured in the normal way so that your software can talk to
the places they expect to be able to talk to. If loopback is down the name
resolver or other net sevices might fail. See the NET-2-HOWTO, but your
standard configuration should already have done this bit:
ifconfig lo 127.0.0.1
route add -net 127.0.0.0
You will have to give addresses to both your network cards. I altered
the /etc/rc.d/rc.inet1 file in my slackware (3.x) to setup my two cards
and you should also essentially just look for your net configuration
file and double the number of instructions in it. Suppose that you
already have an address at
192.168.2.100
(that is the private net reserved address space, but never mind - it
won't hurt anybody if you use this address by mistake) then you probably
already have a line like
ifconfig eth0 192.168.2.100 netmask 255.255.255.0 metric 1
in your configuration. The first thing you are going to probably want
to do is cut the address space reached by this card in half so that you
can eventually bridge the two halves. So add a line which reduces the
mask to address a smaller number of machines:
ifconfig eth0 netmask 255.255.255.128
Try it too. That restricts the card to at most the address space
between .0 and .127.
Now you can set your second card up in the other half of the local
address space. Make sure that nobody already has the address. For
symmetry I set it at 228=128+100