BBS水木清华站∶精华区
发信人: cc (猪仔), 信区: Linux
标 题: Bridge+Firewall mini-HOWTO
发信站: BBS 水木清华站 (Wed Apr 30 15:48:26 1997)
Bridge+Firewall mini-HOWTO, v1.0 by Peter Breuer Nov. 23, 1996
ptb@it.uc3m.es ptb@dit.upm.es ptb@eng.cam.ac.uk ptb@comlab.oc.ac.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You should look at the original Bridging mini-HOWTO by Chris Cole for a
different perspective on this. He is "chris@polymer.uakron.edu". The
version of his HOWTO that I have based this document on (alternatively,
ripped off) is 1.03 dated Aug 23 1996.
CONTENTS:
1.0) What and Why (and How?)
BRIDGING
1.1) Software
1.2) Prior Reading
1.3) Boot configuration
1.4) Kernel configuration.
1.5) Network addresses
1.6) Network routing
1.7) Card configuration
1.8) Additional routing
1.9) Bridge configuration
1.10) Try it out
1.11) Checks
FIREWALLING
2.1) Software and reading
2.2) Preliminary checks
2.3) Default rule
2.4) Holes per address
2.5) Holes per protocol
2.6) Checks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
What:
A bridge is an intelligent connecting wire betwen two network cards. A
firewall is an intelligent insulator.
Why:
You might want a bridge if you have several computers:
a) to save the price of a new hub when you just happen to have an
extra ethernet card available.
b) to save the bother of learning how to do IP-forwarding and
other tricks when you _have_ two cards in your computer.
c) to avoid maintenance work in the future when things change
around!
"Several computers" might be as few as three if those are routing or
bridging or just moving around the room from time to time! b) was what
I wanted a bridge for.
You want a firewall if
a) you are trying to protect your network from external accesses, or
b) you are trying to deny access to the world outside from your
network.
Curiously, I needed b) here too. Policy at my university presently is
that we should not act as IPs to undergraduates.
How?
I started out bridging the two network cards in a firewalling machine
and ended up firewalling without having cut the bridge. It seems to
work.
I would guess that the bridge code lives just above the physical device
layer and the firewalling code lives one layer higher up, so that the
bridging and firewalling configurations effectively act as though they
are running connected together "in sequence" and not "in parallel"
(ouch!). Diagram:
-> Bridge-in -> Firewall-in -> Kernel -> Firewall-out -> Bridge-out ->
There is no other way to explain how one machine can be a "conductor"
and an "insulator" at the same time. Anyway, it all seems to work
together nicely. Here is what you do ..
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
BRIDGING
1.1) Software
Get the bridge configuration utility from Alan Cox's home pages. This
is the same reference as in Chris' document. I just didn't realize that
it was an ftp and not an http URL ...
ftp://shadow.cabi.net/pub/Linux/BRCFG.tgz
1.2) Prior Reading.
Read the 'Multiple ethernet' HOWTO for some advice on getting two
network cards recognized and configured.
sunsite.unc.edu:/pub/Linux/docs/HOWTO/mini/Multiple-Ethernet
Yet more details of the kind of boot magic that you may need are in the
boot parameter howto:
sunsite.unc.edu:/pub/Linux/docs/HOWTO/BootPrompt-HOWTO
1.3) Boot configuration
The reading material above will tell you that you need to prepare the
kernel to recognize multiple ethernet devices at boot up by adding this
to your /etc/lilo.conf, and then re-run lilo:
append = "ether=0,0,eth1"
You can always add the boot parameters in your response to the line that
lilo offers you:
linux ether=0,0,eth1 ether=0,0,eth2
I use loadlin to boot my kernel from DOS:
loadlin.exe c:\vmlinuz root=/dev/hda3 ro ether=0,0,eth1 ether=0,0,eth2
Note that this trick makes the kernel probe at bootup. That will not
happen if you load the ethernet drivers as modules (for safety since the
probe order can't be determined) so if you use modules you will have to
add the appropriate IRQ and port parameters for the driver in your
/etc/conf.modules. I have at least
alias eth0 3c509
alias eth1 de620
options 3c509 irq=5 io=0x210
options de620 irq=7 bnc=1
You can tell if you use modules by using ps to see if kerneld is
running and checking that there are .o files in a subdirectory of your
/lib/modules directory. You want the directory named with what uname -r
tells you. If you have kerneld and/or you have a foo.o then edit
/etc/conf.modules and read the man page for depmod carefully.
Note that until recently (kernel 2.0.25) the 3c509 driver could not be
used for more than one card if used as a module. I have seen a patch
floating around that fixes the oversight. It may be in the kernel when
you read this.
1.4) Kernel configuration
Recompile the kernel with bridging enabled.
CONFIG_BRIDGE=y
I also compiled with firewalling and IP-forwarding and -masquerading and
and the rest enabled. Only if you want firewalling too ...
CONFIG_FIREWALL=y
CONFIG_NET_ALIAS=y
CONFIG_INET=y
CONFIG_IP_FORWARD=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_VERBOSE=y
CONFIG_IP_MASQUERADE=y
You don't need all this.
Install the new kernel in place, rerun lilo and reboot with the new kernel.
Nothing should have changed at this point!
1.5) Network addressing
Chris says that a bridge should not have an IP address but that is not
the setup to be described here.
You are going to want to use the machine for connecting to the net so
you need an address and you need to make sure that you have the loopback
device configured in the normal way so that your software can talk to
the places they expect to be able to talk to. If loopback is down the name
resolver or other net sevices might fail. See the NET-2-HOWTO, but your
standard configuration should already have done this bit:
ifconfig lo 127.0.0.1
route add -net 127.0.0.0
You will have to give addresses to both your network cards. I altered
the /etc/rc.d/rc.inet1 file in my slackware (3.x) to setup my two cards
and you should also essentially just look for your net configuration
file and double the number of instructions in it. Suppose that you
already have an address at
192.168.2.100
(that is the private net reserved address space, but never mind - it
won't hurt anybody if you use this address by mistake) then you probably
already have a line like
ifconfig eth0 192.168.2.100 netmask 255.255.255.0 metric 1
in your configuration. The first thing you are going to probably want
to do is cut the address space reached by this card in half so that you
can eventually bridge the two halves. So add a line which reduces the
mask to address a smaller number of machines:
ifconfig eth0 netmask 255.255.255.128
Try it too. That restricts the card to at most the address space
between .0 and .127.
Now you can set your second card up in the other half of the local
address space. Make sure that nobody already has the address. For
symmetry I set it at 228=128+100 here. Any address will do so long as
it is not in the other card's mask, and even then, well, maybe. Avoid
special addresses like .0, .1, .128 etc. unless you really know what
you are doing.
ifconfig eth0 192.168.2.228 netmask 255.255.255.128 metric 1
That restricts the second card to addresses between .128 and .255.
1.6) Network routing
The above might be enough address configuration for a working bridge,
but I will be doing firewalling too and I want to control the physical
destination of some packets. Even then one might have to take
precautions against address spoofing.
I have the small net of machines attached to a hub hanging off eth0,
so I configure a net there:
route add -net 192.168.2.128 netmask 255.255.255.128 dev eth0
The 128 would be 0 if I had a full class C network there. The "dev
eth0" is not necessary here because the cards address falls within this
net, but it may be necessary for you.
On the other card I have a line going straight through to a big router
that I trust.
client 129
__ | __
client 1 \ .0 .128 | / net 1
client 2 --- Hub - eth0 - Kernel - eth1 - Hub - Router --- net 2
client 3 __/ .100 .228 .2 | \__ net 3
|
client 254
I attach the address of the router to that card as a fixed ("static")
route because it would otherwise fall within the first cards netmask
and the kernel would be thinking wrongly about how to send packets to
the big router.
route add 192.168.2.2 dev eth1
I don't need it, since I don't have any more machines in that half of
the address space, but I declare a net also on the second card
route add -net 192.168.2.128 netmask 255.255.255.128 dev eth1
I also need to send all non-local packets out to the world so I tell
the kernel to send them to the big router
route add default gw 192.168.2.2
1.7) Card configuration
So much was standard networking setup, but we are bridging so we also
have to listen on both (?) cards for packets that are not aimed at us.
The following should go into the network configuration file.
ifconfig promisc eth0
ifconfig promisc eth1
The man page says allmulti=promisc, but it didn't work for me.
1.8) Additional routing
One thing that I noticed was that I had to put at least the second card
into a mode where it would respond to the big router's questions about
which machines I was hiding in my local net.
ifconfig arp eth1
For good measure I did this to the other card too.
ifconfig arp eth0.
1.9) Bridge Configuration
Put bridging enabling on and into your configuration file:
brcfg -enable
You should have been trying this out in real time all along, of course!
The bridge configure will bring up some numbers. You can experiment
with turning on and off the ports one at a time
brcfg -port 0 -disable/-enable
brcfg -port 1 -disable/-enable
You get status reports anytime by just running
brcfg
without any parameters. You will see that the bridge listens,learns,
and then does forwarding. (I don't understand why the code repeats the
same hardware addresses for both my cards, but never mind .. Chris'
howto say that is OK)
1.10) Try it out
If you are still up and running as things are, try out your
configuration script for real by taking down both cards and then
executing it:
ifconfig eth0 down
ifconfig eth1 down
/etc/rc.d/rc.inet1
With any luck the various subsystems (nfs, ypbind, etc.) won't notice.
Do not try this unless you are sitting at the keyboard!
If you want to be more careful than this, you should take down as many
daemons as possible beforehand, and unmount nfs directories. The worst
that can happen is that you have to reboot in singleuser mode (the
"single" parameter to lilo or loadlin). and take out your changes
before rebooting with things the way they were before you started.
1.11) Checks
Verify that there is different traffic on each interface:
tcpdump -i eth0 (in one window)
tcpdump -i eth1 (in another window)
You should get used to using tcpdump to look for things that should not
be happening or that are happening and should not.
For instance look for packets that have gone through the bridge to the
second card from the internal net
tcpdump -i eth1 -e host 192.168.2.22
and send a ping from the named host to the router. You should see
the packet reported by tcpdump.
At this stage you should have a fully working bridge that also has two
network addreses. Test that you can ping them from outside and inside
your local net, and that you can telnet and ftp around between inside
and outside too.
FIREWALLING
2.1) Software and reading
One should read the Firewall-HOWTO.
sunsite.unc.edu:/pub/Linux/docs/HOWTO/Firewall-HOWTO
That will tell you where to get ipfwadm if you don't already have it.
There are other tools you can get but I made no progress until I
tried ipfwadm. It is nice and low level! You can see exactly what it
is doing.
2.2) Preliminary checks
You have compiled IP-forwarding and masquerading into the kernel so you
will will want to check that the firewall is in its default (accepting)
state with
ipfwadm -I -l
ipfwadm -O -l
ipfwadm -F -l
You might have compiled in accounting too:
ipfwadm -A -l
You should see that there are no rules defined and that the default is
to accept every packet You can get back to this working state anytime
with
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
You may need to use that.
2.3) Default rule
I want to cut the world off from my internal net and do nothing else, so
I will want to give as a last (default) rule that the firewall should
ignore any packets coming in from the internal net and directed to
outside. I put all these rules (in this order) into
/etc/rc.d/rc.firewall and execute it from rc.local at bootup.
ipfwadm -I -a reject -S 192.168.2.0/255.255.255.128 -D 0.0.0.0/0.0.0.0
2.4) Holes per address
Before that default rule, I have to place some rules that serve as
exceptions to this general denial of external services to internal
clients.
I want to treat the firewall machines address on the internal net
specially. I will stop people logging in to the firewall machine unless
they have special permission, but once they are there they should be
allowed to talk to the world.
ipfwadm -I -i accept -S 192.168.2.100/255.255.255.255 -D 0.0.0.0/0.0.0.0
I also want the internal clients to be able to talk to the firewalling
machine. Maybe they can persuade it to let them get out!
ipfwadm -I -i accept -S 192.168.2.0/255.255.255.128 \
-D 192.168.2.100/255.255.255.255
Check at this point that you can get in to the clients from outside the
firewall via telnet, but that you cannot get out. Try rlogin and ping
too, with tcpdump running on one card or the other. You should be able
to make sense of what you see.
2.5) Holes per protocol
I went on to relax the rules protocol by protocol. I want
to allow pings from the outside to the inside to get an echo back, for
instance, so I inserted the rule:
ipfwadm -I -i accept -P icmp -S 192.168.2.0/255.255.255.128 \
-D 0.0.0.0/0.0.0.0
Until I get hold of an ftp proxy I am also allowing ftp calls in and
out with some port-specific relaxations. Name service should also be
allowed in the end.
There is a particular problem with some daemons that look up the
hostname of the firewalling machine in order to decide what is their
networking address. Rpc.yppasswdd is the one I had trouble with. It
insists on broadcasting information that says it is outside the
firewall (on the second card). That means the clients inside can't
contact it.
There are several solutions: a) map the name to the inside card address
on the clients in /etc/hosts, b) change the name of the firewalling
machine to match its first cards network address, c) recode the daemon
source code to read info from a configuration file, d) learn about
aliasing. I will probably do one of the first three.
2.6) Checks
You want to test that you can still telnet, rlogin and ping from
the outside. From the inside you should be able to ping out. You should
also be able to telnet to the firewall machine. The latter should be
able to do anything.
That is it.
--
※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: tec.cs.tsinghua]
BBS水木清华站∶精华区