Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: arne on September 21, 2005, 09:09:15 PM

Title: SME 7.0 beta 4 - Supports bridging mode firewall !
Post by: arne on September 21, 2005, 09:09:15 PM

For those who might be interested in this kind of stuff:

Have just tested SME 7.0 with a bridging mode firewall setup. Were just courious if the kernel supported this (like the Centos kernel does.)

I am comunication trough the sme 7.0 bridging firewall just now.

Works ok, but don't know how this could be used on a sme 7.0 in a reasonable and good way. One example of possible use could be if you would like to devide one nework subnet into two different security zones. (Cabeled / wireless lan).

If someone like to try a bridge it can be established with this script:

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0

echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush
iptables -t nat -F
iptables -F
iptables -X
iptables -Z

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 10.0.0.35 netmask 255.255.255.0

ifconfig br0 up


This will flush out the existing firewall (until next reboot) and a new bridge firewall will eventuelly have to be extablished.

Don't know if this is required. I guess not:

echo 1 > /proc/sys/net/ipv4/ip_forward


If anybody think the bridge mode is a interrsting alternative, or some interesting potensials for use, please leave a few words.

Best reg Arne.

Title: Re: SME 7.0 beta 4 - Supports bridging mode firewall !
Post by: gordonr on September 21, 2005, 10:39:08 PM

Quote from: "arne"

For those who might be interested in this kind of stuff:

Have just tested SME 7.0 with a bridging mode firewall setup. Were just courious if the kernel supported this (like the Centos kernel does.)

Naturally, as SME 7.0beta is CentOS 4.1, with some package additions and removals. However, packages which come from CentOS, including the kernel, are used unmodified (with one bug fix to a postinstall scriptlet for ntpd).

Quote from: "arne"

This will flush out the existing firewall (until next reboot) and a new bridge firewall will eventuelly have to be extablished.

Yes, testers please be careful. This is an interesting early development, but you are running without strict firewall rules.

Quote from: "arne"

If anybody think the bridge mode is a interrsting alternative, or some interesting potensials for use, please leave a few words.

I think a bridge mode firewall is a very interesting extension rather than an alternative. It could provide a nice solution to ISP redundancy. I suggest further discussion is best suited to the devinfo developers list where we can talk further about design and integration.