Wolfgang Kohnen wrote:
Philippe WEILL schrieb:
if you want to do something like this it's doesn't work
|------------|
---------| Cisco |
|------------|
| | | | |
|- ---| Workstations
| FWB |
|-----|
could you explain with ascii art what you need
It's more like this:
-------
|cisco|-----> metropolitan area net
-------
| ----------------
| (----------------------------| other switch |
| | ----------------
--------- ------ ---------- |||||||| |
| FWB |------> | FW |------| switch | third network
--------- ------ ---------- |
| |||||| |
| |||||| ------
| second network | FW |
| ------
----------
| switch |
----------
||||||
||||||
first network
OK it's more clear and this should work without problem
The interesting part is on the left column: the cisco router, the
bridging firewall (FWB) and the connected "first network". What I need
is, that the first network has a default gateway different to the second
and third network (which go to a different off-site uplink). But I want
to route package between these three networks. Cisco's IP is
10.121.64.1 and I would like to give the IP 10.121.64.15 (same logical
network, hence the bridging firewall) and default gateway 10.121.64.1 to
the FWB and then give a default gateway of 10.121.64.15 to the clients
in the first network.
Maybe it was misleading, that I wrote:
But
packages going the other way round will arrive from the internet (or
other off-site networks) at the cisco router and then they will be sent
from the cisco router directly to the client i.e. transparently through
the bridge.
The FWB is between the first network and the cisco router, of course.
If I didn't miss something important, the packages will all pass the FWB
from all directions, from cisco to first network, from first network to
cisco and to/from second network to the first network.
But there is still a asymmetry on the FWB: Cisco thinks it sends to the
network directly and it passes the FWB and the client in that network
think the FWB is a router and the Cisco doesn't exist. My question is
theoretical "How does this asymmetry appear at the FWB? (routing table/
INPUT / FORWAD / OUTPUT)" or my question is pragmatical:
2.) How can I handle connections going through this transparent
firewall? Am I able to [2]stateful inspect connections [0]easily here!?
Remember that Bridging Firewall is a Switch ( Layer 2 ) with Layer 3+ Filter
he doesn't do routing ( Ip address on BR-FW is just used for administration and
eventually for reject target in iptables but you could work without an ip
address on)
your filters are all on FORWARD CHAIN and you can't do nat with BRFW
because no PREROUTING or POSTROUTING
We use two bridging firewall in our network
a good distrib for that
http://www.devil-linux.org
iptables rules could be generated by FWBUILDER ( from another host )
--
Weill Philippe - Administrateur Systeme et Reseaux
|