[Firehol-support] locking down a dual stack bridging firewall with firehol

Tsaousis, Costa costa at tsaousis.gr
Thu Nov 13 10:58:03 GMT 2014


Hi Phineas,

I have never implemented a firewall with a bridge, so I am not 100% sure.

I think that if you bridge the interfaces, traffic between the
interfaces of the bridge does not enter the IP stack of the host
implementing the bridge.
You need ebtables to control bridged traffic.

In any case, if firehol drops something, it should be logged. So check
the logs to find out what is dropped. It should give you an idea how
to match it.


Costa

On Wed, Nov 12, 2014 at 11:38 PM, Phineas Gage <phineas919 at gmail.com> wrote:
> I’m converting my firewall to a transparent bridge, and have a basic config working for IPv4 and IPv6. Our environment is simple:
>
> LAN <=> (eth0) Linux Firewall (eth1) [br0 bridges eth0 and eth1] <=> ADSL modem
>
> I would like to let all client traffic out but nothing in. But for some reason, I need this router line accepting all traffic from the Internet side interface , otherwise clients lose their DHCP v4 addresses a few seconds after they get them:
>
> router46 internet2lan physin eth1 physout eth0
>     route all accept # !!! Figure out why, without this accept, I lose my DHCP v4 address after a few seconds
>
> Now, I think it may be covered by my “int2br” rule, which rejects everything but some needed IPv6 traffic, but I would like to make the above line cleaner.
>
> Does anyone know how to make this better, or does anyone spot any other holes in this configuration I’ve missed?
>
> Hopefully what I’ve got so far helps someone...
>
> ----
> version 6
>
> # The lan network
> lan_net=“redacted"
> lan6_net=“redacted"
>
> interface46 eth0 lan
>     policy reject
>     tcpmss auto
>     server "ipv6error ipv6neigh ipv6router" accept
>     server "ssh icmp icmpv6" accept
>     client "ipv6neigh ipv6router" accept
>     client all accept
>     server all reject
>
> interface46 eth1 internet
>     protection strong 10/sec 10
>     tcpmss auto
>     server "ipv6error ipv6neigh" accept
>     server "icmp icmpv6" accept
>     client "ipv6neigh ipv6router" accept
>     client all accept
>     server all reject
>
> interface46 br0 bridge
>     server "ipv6error ipv6neigh ipv6router" accept
>     server "ssh icmp icmpv6" accept
>     server all reject
>     client all accept
>
> router46 lan2internet physin eth0 physout eth1
>     route all accept
>
> router46 internet2lan physin eth1 physout eth0
>     route all accept # !!! Figure out why, without this accept, I lose my DHCP v4 address after a few seconds
>
> router46 br2int inface br0 outface br0 physin eth0 physout eth1
>     route ipv6neigh accept
>     route ipv6router accept
>     route ipv6error accept
>     route all accept
>
> router46 int2br inface br0 outface br0 physin eth1 physout eth0
>     route ipv6neigh accept
>     route ipv6error accept
>     route all reject
> ----
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list