Re: [nottingham] FYI : router

• Previous message: Robert Davies: "Re: [nottingham] FYI : router"
• In reply to: Robert Davies: "Re: [nottingham] FYI : router"
• Next in thread: Robert Davies: "Re: [nottingham] FYI : router"
• Next in thread: Mark Brown: "[nottingham] unsubscribe"
• Reply: Robert Davies: "Re: [nottingham] FYI : router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Howdy folks

On Sun, 27 May 2001, Robert Davies wrote:
> OpenBSD actually has a very interesting possibility for firewalling, which
> even Linux 2.4 can't match yet, that is to do packet filtering whilst
> transparent bridging. A firewall which does not have an IP address you can
> connect to, and it's existent is even hidden from you, makes attacking that
> box problematic to say the least. Obviously an extra ethernet interface, or
> a serial connection to the machine is used for management purposes.

No, quite right, 2.4.x can't do it yet. But 2.2 can - I've just spent a
sometimes frustrating but in the end very satisfying couple of weeks
developing a kickstart system for a transparent bridging firewall. OK, it
does run from an HD :) but it works a treat, using IPchains for the
firewall aspect of things. One thing though which it lacks, severely, is
that it's only an IP firewall so random things like IPX and AppleTalk
(commonly spat out by printer interface cards) still make it through, thus
rendering the internal network not entirely silent.

Still, as most exploits (and almost all the stuff you want to hide) these
days are IP based, it works very well indeed.

The bridge code developers are currently working on the 2.4 kernel tree
with a little but growing success. Someone made a patch work last week
against the 2.4 tree but it won't support NAT yet, although in itself
that's started quite a discussion about "why on earth would you want a
bridge to do NAT anyway?"...

http://bridge.sourceforge.net is the place to look, if it's up. A lot of
sourceforge's pages seem to have disappeared for some reason.

Graeme

PS the way to do remote management safely is to have a single IP address
allowed to connect to the box, using RFC1918 address space. Then
(obviously) keep that machine nailed down :)

--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------

• Previous message: Robert Davies: "Re: [nottingham] FYI : router"
• In reply to: Robert Davies: "Re: [nottingham] FYI : router"
• Next in thread: Robert Davies: "Re: [nottingham] FYI : router"
• Next in thread: Mark Brown: "[nottingham] unsubscribe"
• Reply: Robert Davies: "Re: [nottingham] FYI : router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu 22 Nov 2001 - 13:13:19 GMT