[Firehol-support] locking down a dual stack bridging firewall with firehol

Phineas Gage phineas919 at gmail.com
Thu Nov 13 11:20:40 GMT 2014


Ok, at least I know it does go through iptables when you have a sysctl entry for bridge-nf-call-iptables=1 and bridge-nf-call-ip6tables=1. But some corner cases like this are challenging to figure out. Thanks for the tip on the logs. I forgot about it, and had the log rate turned down quite low before, so I’ll check it out...

I read that ebtables can be used to bypass the bridge and handle the traffic normally in the IP stack by handling them in BROUTING chain (http://ebtables.netfilter.org/misc/ebtables-faq.html). So I may be trying this to route some traffic to another network we’re connected to, and will see how it interacts with FireHOL.

The motivation for this is if I can make my firewall transparent, then if it fails, it’s easy to tell someone even if I’m not there to just unplug two cables and plug in one cable bypassing the firewall and everything still works. I just lose traffic shaping, a little “extra” firewalling and some other ancillary services.

FireQOS seems to be working quite well through the bridge (continuing to use srcmac and dstmac like before), but I still need to experiment more with it. I can’t stress enough the difference that the FireQOS (and probably fq_codel) has made for us. We can have 10 or more active users on our 4 Mbps / 0.3 Mbps ADSL, and well, at least you can still browse the web, to some extent. :)

> On Nov 13, 2014, at 11:58 AM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> 
> Hi Phineas,
> 
> I have never implemented a firewall with a bridge, so I am not 100% sure.
> 
> I think that if you bridge the interfaces, traffic between the
> interfaces of the bridge does not enter the IP stack of the host
> implementing the bridge.
> You need ebtables to control bridged traffic.
> 
> In any case, if firehol drops something, it should be logged. So check
> the logs to find out what is dropped. It should give you an idea how
> to match it.
> 
> 
> Costa
> 
> On Wed, Nov 12, 2014 at 11:38 PM, Phineas Gage <phineas919 at gmail.com> wrote:
>> I’m converting my firewall to a transparent bridge, and have a basic config working for IPv4 and IPv6. Our environment is simple:
>> 
>> LAN <=> (eth0) Linux Firewall (eth1) [br0 bridges eth0 and eth1] <=> ADSL modem
>> 
>> I would like to let all client traffic out but nothing in. But for some reason, I need this router line accepting all traffic from the Internet side interface , otherwise clients lose their DHCP v4 addresses a few seconds after they get them:
>> 
>> router46 internet2lan physin eth1 physout eth0
>>    route all accept # !!! Figure out why, without this accept, I lose my DHCP v4 address after a few seconds
>> 
>> Now, I think it may be covered by my “int2br” rule, which rejects everything but some needed IPv6 traffic, but I would like to make the above line cleaner.
>> 
>> Does anyone know how to make this better, or does anyone spot any other holes in this configuration I’ve missed?
>> 
>> Hopefully what I’ve got so far helps someone...
>> 
>> ----
>> version 6
>> 
>> # The lan network
>> lan_net=“redacted"
>> lan6_net=“redacted"
>> 
>> interface46 eth0 lan
>>    policy reject
>>    tcpmss auto
>>    server "ipv6error ipv6neigh ipv6router" accept
>>    server "ssh icmp icmpv6" accept
>>    client "ipv6neigh ipv6router" accept
>>    client all accept
>>    server all reject
>> 
>> interface46 eth1 internet
>>    protection strong 10/sec 10
>>    tcpmss auto
>>    server "ipv6error ipv6neigh" accept
>>    server "icmp icmpv6" accept
>>    client "ipv6neigh ipv6router" accept
>>    client all accept
>>    server all reject
>> 
>> interface46 br0 bridge
>>    server "ipv6error ipv6neigh ipv6router" accept
>>    server "ssh icmp icmpv6" accept
>>    server all reject
>>    client all accept
>> 
>> router46 lan2internet physin eth0 physout eth1
>>    route all accept
>> 
>> router46 internet2lan physin eth1 physout eth0
>>    route all accept # !!! Figure out why, without this accept, I lose my DHCP v4 address after a few seconds
>> 
>> router46 br2int inface br0 outface br0 physin eth0 physout eth1
>>    route ipv6neigh accept
>>    route ipv6router accept
>>    route ipv6error accept
>>    route all accept
>> 
>> router46 int2br inface br0 outface br0 physin eth1 physout eth0
>>    route ipv6neigh accept
>>    route ipv6error accept
>>    route all reject
>> ----
>> 
>> 
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support




More information about the Firehol-support mailing list