[Firehol-support] Open VPN and Ethernet Bridge
Costa Tsaousis
costa at tsaousis.gr
Thu Jul 29 22:05:13 BST 2004
Joel,
Thanks for your good words.
I have never used bridged interfaces or tunnels myself. However you can
find a few messages from other users using FireHOL with bridges at the
forums. Check these:
https://sourceforge.net/forum/forum.php?thread_id=869207&forum_id=196547
https://sourceforge.net/forum/forum.php?thread_id=994500&forum_id=196547
I suggest to proceed one step at a time. Setup a very simple firewall like
this:
interface any world
policy accept
router any2any
route all accept
Does it work now? Check the system log for dropped packets. The system log
is your friend - it tells you what is going wrong. If there is nothing in
the logs, and everything works, you are in a good path.
If it works, then try to figure out how to filter traffic. Change the
router to this:
router any2any
route ping accept log "APING"
route all accept
Then do a ping (not from/to the firewall) and check the logs for the text
"APING". Note down SRC= DST= IN= OUT= etc. You should use the logged
information to understand what to match in FireHOL.
Repeat the above procedure (logging traffic and modifying the firewall)
until you have a clear view of how iptables interacts with your bridges
and tunnels. Then you will know what to do to setup a secure firewall.
In all cases, FireHOL is pretty generic. If there should be a match there
that currently it is not, send me a note and I'll add it (I am pretty sure
all the "stable" iptables matches are already included - so missing a
feature is unlikely to happen).
Anyway, I hope that if you decide to do this, you will write a short howto
for the rest of us to know what to do in setups similar to yours :-)
Regards,
Costa
More information about the Firehol-support
mailing list