Linux Bridge/Firewall

[Chris Ditri <chrisd () better-investing org>]

Hello Everyone,

I have successfully built my linux bridge.  

I wish to use it as the outside machine in a DMZ, so I want it not only to 
allow packets through without augmentation, but to only allow packets from 
certain external machines on certain ports to certain protected machines on 
certain ports -- and reject all other traffic.

I have an example running now, where I put my lists server behind this 
machine, and it seems to work pretty well so far.. but I know there are more 
eloquent ways of doing what I have done.

I am using iptables.  I set the INPUT chain to ACCEPT.  I set the OUTPUT chain 
to ACCEPT.  I set the FORWARD chain to DROP, then made my exceptions on the 
forward chain for the ports and machine in question.

Everything is basically on the forward chain.

My questions:

Normally, I split up the packets into 3 chains, one for udp, one for tcp, etc. 
etc.  This is supposed to decrease the overhead by not running everything 
though one chain.  It minimizes processing.  Should something like this be 
implemented on my bridge/firewall?  (logically splitting traffic into 
chains).

Should I try to set my INPUT and OUTPUT to DROP, and make exceptions?  Or is 
it safe to leave it alone?

Should I bag the whole thing and use ebtables (something I am completely 
unfamiliar with).  I personally don't see why I would want to do this...  I 
don't know if I have a need to block and allow based upon mac address...

I appreciate any suggestions.

Thanks.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards