Wolfgang Kohnen wrote:
Hello folks!
I've got a more or less complicated problem here and my own knowledge
about iptables doesn't help me anymore. Please give me some light!
The problem I am facing with is, that I would like to default-route
packages from one local network to a [0]transparent firewall (its bridge
interface) so that this box routes packages to either a [1]ciso router
which further connects to off-site networks and the internet or my
bridge routes these packages to other on-site routers. I would like to
do it this way, because there are many different dumb clients in that
network and I would like to avoid to configure additional network routes
into every single client. This way my bridge "router" can decide
centrally where to go -- either to the uplink or to other on-site routers.
This setup means, that packages going from my network mentioned above to
the internet will go to my bridge router's br0 interface, because their
default gateway point to this interface. The transparent
firewall/bridge has itself a different default gateway pointing to the
cisco router and the package will find its way... so good so far. But
packages going the other way round will arrive from the internet (or
other off-site networks) at the cisco router and then they will be sent
from the cisco router directly to the client i.e. transparently through
the bridge.
Summarized: I have a more or less asymmetric routing, packages going to
bridge, but coming from cisco, though physically going both through my
bridge.
I think this doesn't work
If i understand what you want to do
Are you using a switch router or pure router
and where you want to put your bridging firewall
if you want to do something like this it's doesn't work
|------------|
---------| Cisco |
|------------|
| | | | |
|- ---| Workstations
| FWB |
|-----|
could you explain with ascii art what you need
This asymmetry gives me two questions I can't answer by myself:
1.) Does it work like I've explained here, or am I talking rubbish? :-)
2.) How can I handle connections going through this transparent
firewall? Am I able to [2]stateful inspect connections [0]easily here!?
Thanks a lot in advance for any advices!
Wollie
Notes:
[0] I would like to use a Debian box with Linux 2.6.xy, and fwbuilder
2.0.6 because I am very familar with Debian and I've to coach local
admins with firewalling and I would like to abide by fwbuilder (wow,
experimental English... did you get me?)
[1] It's on the same logical network, hence the bridging. It's not our
router, I can't change any configs.
[2] This is the main reason why I want to place a bridge/transparent fw
in front of the cisco router: I want to firewall this connection with
one of my own machines.
--
Weill Philippe - Administrateur Systeme et Reseaux
Devil-Linux distribution for firewall and security
http://www.devil-linux.org
|