[TCLUG] To firewall or not to firewall...

Sat Nov 18 18:27:14 CST 2000

A bridge is exactly what it is and it gives me the ability to insert code
to process the packets any I want. Plus, it only took about 8 hours to
write the firewall and maybe another 8 hours to adding multithreaded
queueing and prioritization so it wasnt much of an investment in time
(but a good learning experience). I tried linux bridging with ipchains and
neither would work together, they only worked on their own.

Plus, your alternate solution is BSD not linux. heh.

If the program you mention can prioritize certain packets over others,
do bandwidth throttling on any traffic pattern, provide a web interface
to view the stats in realtime, and modify the rules table on-the-fly
via a web interface then I'd be interested.

Some additional features I plan to add:

1. Fake RST-ACK blocked ports to port scanners. For example, if you nmap
a firewalled port nmap tells you its firewalled because it doesnt reveive
a RST-ACK when its probed. If the firewall will send the RST-ACK to the
port scanner on behalf of the firewalled box then a port scanning program
wont even be able to tell if you have your network firewalled.

2. NAT through a bridge. In *theory* when I forward packets I could
replace an "internet IP" with a 10-net IP and then back to an internet
IP on the way out. Certain boxes could have a 10-net but still have a
unique IP on the Internet, others could be proxied through 1 IP. This
could potentially allow 10-net boxes full internet access with no
configuration needed on clients. This would give NAT/proxied machines
the benefits of all the other features of this program.

And the best thing is that you dont need to rely on Cisco routers to
handle these features even if they could.

Of course, some of these ideas are future ideas and may exist already in
other packages but my goal is to integrate all these features into a single
transparent bridge (using my algorithms).Plus, its a good learning experience
in the process.

If anyone knows of any linux transparent firewalls that they know to work
I'd be interesting in hearing about it.

Jason

At 05:42 PM 11/18/00 -0600, you wrote:
>On Fri, Nov 17, 2000 at 06:10:15PM -0600, Jason DeStefano wrote:
>> 
>You didn't have to write this yourself.  It sounds to me like an ethernet
>bridge.  Can be done easily in OpenBSD by setting up the bridge0 device and
>putting your filtering rules in /etc/ipf.rules.  It's one of the coolest
>capabilities I've seen in OpenBSD.  Hopefully, something similar will be
>implemented in the 2.4 Linux kernel.  Anyone know if Linux is already
>capable of bridging like this?
>
>Gabe
>
>-- 
>---------------------------------------------------------------------------
-----
>Gabe Turner				       |  	   X-President,
>UNIX Systems Administrator,		       | Assoc. for Computing Machinery
>U of M Supercomputing Institute for	       |    University of Minnesohta
>Digital Simulation and Advanced Computation    |       dopp at acm.cs.umn.edu
>
>"Ooo-eeee-Ooooo, Killer Tofu!"	- The Beats "Killer Tofu"
>---------------------------------------------------------------------------
-----
>_______________________________________________
>tclug-list mailing list
>tclug-list at lists.real-time.com
>https://mailman.real-time.com/mailman/listinfo/tclug-list
> 