Firewall Wizards mailing list archives
Linux Bridge/Firewall
From: Chris Ditri <chrisd () better-investing org>
Date: Wed, 26 Nov 2003 16:03:57 -0500
Hello Everyone, I have successfully built my linux bridge. I wish to use it as the outside machine in a DMZ, so I want it not only to allow packets through without augmentation, but to only allow packets from certain external machines on certain ports to certain protected machines on certain ports -- and reject all other traffic. I have an example running now, where I put my lists server behind this machine, and it seems to work pretty well so far.. but I know there are more eloquent ways of doing what I have done. I am using iptables. I set the INPUT chain to ACCEPT. I set the OUTPUT chain to ACCEPT. I set the FORWARD chain to DROP, then made my exceptions on the forward chain for the ports and machine in question. Everything is basically on the forward chain. My questions: Normally, I split up the packets into 3 chains, one for udp, one for tcp, etc. etc. This is supposed to decrease the overhead by not running everything though one chain. It minimizes processing. Should something like this be implemented on my bridge/firewall? (logically splitting traffic into chains). Should I try to set my INPUT and OUTPUT to DROP, and make exceptions? Or is it safe to leave it alone? Should I bag the whole thing and use ebtables (something I am completely unfamiliar with). I personally don't see why I would want to do this... I don't know if I have a need to block and allow based upon mac address... I appreciate any suggestions. Thanks. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Linux Bridge/Firewall Chris Ditri (Nov 29)
- Re: Linux Bridge/Firewall Christopher Hicks (Nov 29)