|
|
Philippe WEILL schrieb:
>> It's more like this:
>>
>> -------
>> |cisco|-----> metropolitan area net
>> -------
>> | ----------------
>> | (----------------------------| other switch |
>> | | ----------------
>> --------- ------ ---------- |||||||| |
>> | FWB |------> | FW |------| switch | third network
>> --------- ------ ---------- |
>> | |||||| |
>> | |||||| ------
>> | second network | FW |
>> | ------
>> ----------
>> | switch |
>> ----------
>> ||||||
>> ||||||
>> first network
>
>
>
> OK it's more clear and this should work without problem
Fine... :-)
> Remember that Bridging Firewall is a Switch ( Layer 2 ) with Layer 3+
Filter
Hmm, where is my OSI--Knowledge... hmm, maybe I didn't ever learn it.
Layer 2 is where MAC and ARP are living and Layer 3 is IP, isn't it? Or
no... layer 2 is mac, layer 3 is arp and layer 4 is ip? However... :-)
> he doesn't do routing ( Ip address on BR-FW is just used for
administration and eventually for reject target in iptables but you
could work without an ip address on)
> your filters are all on FORWARD CHAIN and you can't do nat with BRFW
> because no PREROUTING or POSTROUTING
I don't need NAT here, that happens somewhere else. And that means, I
can't make anti-spoofing rules here? Let me show in detail what I wanted
to do on that FWB -- maybe you could spot me to the point where I'll
trip over?
The FWB is called voyager (my customer's choice, not my fault, but maybe
you like star trek?) and has three interfaces. eth0, eth1 join together
and make br0 and there is eth2 which connects to the rest of our site:
voyager:
eth0/eth1-> br0 (10.121.64.15)
eth2 (172.16.0.10) (just a transit net between two routers)
cisco:
10.121.64.1
and the other FW is called "enterprise" (there is another one called
"defiant" to continue the row...):
enterprise:
eth2 (172.16.0.15)
eth1 (192.168.64.15)
eth0 (195.x.y.16) (dmz)
So, on voyager I'll have to do:
route add -net 192.168.64.0 netmask 255.255.255.0 gw 172.16.0.15
route add -net 195.x.y.0 netmask 255.255.255.0 gw 172.16.0.15
The clients on the 10.121.64.0 net will get the default gw 10.121.64.15
which is voyager's br0 IP and will be forwarded from there to the Cisco,
'cause voyager has itself the default gw of 10.121.64.1. Am I tripping
already? This is where your "doesn't do routing" argument comes in? Or
does everything what crosses this FWB appear perfectly in FORWARD and I
can do with the packages, whatever I would like to do (drop or permit
would suffice)?
> a good distrib for that
> http://www.devil-linux.org
Didn't hear about that; I am using a vanilla woody with some packages
from backports.org.
> iptables rules could be generated by FWBUILDER ( from another host )
Thanks a lot!
Wollie
|
|