[Firehol-support] Open VPN and Ethernet Bridge

Costa Tsaousis costa at tsaousis.gr
Thu Jul 29 22:05:13 BST 2004


Joel,

Thanks for your good words.

I have never used bridged interfaces or tunnels myself. However you can
find a few messages from other users using FireHOL with bridges at the
forums. Check these:

https://sourceforge.net/forum/forum.php?thread_id=869207&forum_id=196547
https://sourceforge.net/forum/forum.php?thread_id=994500&forum_id=196547

I suggest to proceed one step at a time. Setup a very simple firewall like
this:

interface any world
policy accept

router any2any
route all accept

Does it work now? Check the system log for dropped packets. The system log
is your friend - it tells you what is going wrong. If there is nothing in
the logs, and everything works, you are in a good path.

If it works, then try to figure out how to filter traffic. Change the
router to this:

router any2any
route ping accept log "APING"
route all accept

Then do a ping (not from/to the firewall) and check the logs for the text
"APING". Note down SRC= DST= IN= OUT= etc. You should use the logged
information to understand what to match in FireHOL.

Repeat the above procedure (logging traffic and modifying the firewall)
until you have a clear view of how iptables interacts with your bridges
and tunnels. Then you will know what to do to setup a secure firewall.

In all cases, FireHOL is pretty generic. If there should be a match there
that currently it is not, send me a note and I'll add it (I am pretty sure
all the "stable" iptables matches are already included - so missing a
feature is unlikely to happen).

Anyway, I hope that if you decide to do this, you will write a short howto
for the rest of us to know what to do in setups similar to yours :-)

Regards,

Costa






More information about the Firehol-support mailing list