# Building a bridging firewall.



## Gweedeaux (Jul 8, 2004)

I am currently attempting to build a bridging firewall. Linux/Unix is NOT my area of expertise. But this is my commission, nonetheless. I have Gibraltar 2.0 installed using a boot-from-cd. Using scripts scrounged up from the web, I've managed to get the basic bridge created and even set it to block/permit ports (I think). However, my script only allows me to configure one of my three network cards. Since there is no gui for me to work with and I'm extremely unfamiliar with the command line interface for linux, I need to know how to manually configure the other two network cards. I'd also like to have it log remotely to a different server, but would need to know the commands to set that as well. Is this the best way to go about this? I also have copies of RedHat 9 (kernel 2.4) and Knoppix, if one of those would be easier to build the bridge off of I'm willing to try it, but I've tried to build it off Redhat and had trouble there too due to my inexperience with linux. Anyone know of any solutions for me, or even the location of specific step by step instuctions for building one of these? I'm on a time crunch and starting to get desparate...


----------



## Volt-Schwibe (Jan 12, 2003)

if you are talking about a linux router / hardware firewall...

i would suggest you check out smoothwall. it has anice interface, and once built, can be administered similarly to any router.

although, it will ask you to use a 500 meg hard disk. (i put a 1 gig disk in mine)

www.smoothwall.org


----------



## Gweedeaux (Jul 8, 2004)

I forgot to mention...the reason I'm building a bridging firewall is that I'm not allowed to use NAT. So this box isn't going to do any routing at all on the layer 3 level. The precludes me from using 98% of the firewall appliances/software out there, and the reason I'm forced to go the linux/unix route.


----------



## jvigil (Aug 23, 2004)

I successfully built a transparent bridge with full firewall and bandwidth limiting capabilities. I used two FE cards at layer 2 (basically no IP) and a third card was installed and DMZ'd with an IP so that I could remotely manage the box.

Software used:

FreeBSD 4.8
IPFW
Dummynet


Bandwith capabilities:

WF2Q+ (Weighted Fair Queueing)
Multipath/Reordering
Dynamic pipes
Dynamic queues

You can also simulate different connection types with different amounts of jitter and bursting loss and use the box as a test bed. The best part is that you only need a PII-233 or higher with 2 NICs and 64-128MB memory. Just pop this baby in between two L2 or L3 devices and you will be set. Although this bridge is transparent it is totally capable of handling L3 firewall rules.


----------



## Gweedeaux (Jul 8, 2004)

That sounds more like what I'm looking for. However, without good resources as to how to install, configure and support it, I'm out of luck. All my experience and certifications are Windows. I've conveniently shut the Linux/Unix world out for the last 6 years. Now that I've opened that door, it's coming down hard! Heh.


----------



## jvigil (Aug 23, 2004)

Let me see what I can find for you... stand by for a day or so. Thanks! :bgrin:


----------



## Volt-Schwibe (Jan 12, 2003)

many people build linux firewall/routers that have the NAT disabled.

they simply add an in card, and an out card, and disable the DHCP (DCHP?) part of it, effectively making a non routing linux hardware firewall.

at which point you can bring up nice logs, and traffic graphs, and such.

EDIT: i forgot to mention that with a setup like this you have 100% port control and can lock internet ip addresses out.


----------



## jvigil (Aug 23, 2004)

Seeing that Layer 2 does not support NAT for obvious reasons, my example is exactly that. Now as far as separate In and Out cards go, well, I'm not sure if a Simplex connection is what he is looking for, unless you mean 4 cards total, 2 for each side of the network.


----------



## Skie (Mar 15, 2003)

I don't know how much time you have to work on this, but if you have time to spare, I would suggest fiddling with a Linux box and trying to learn how to use it. Then working with one of the non GUI based firewall setups. You'll have better control of what's going on as well as a better ability to do exactly what you need. 

If time isn't an option, your choices will be a bit more limited, especially if a solution like Smoothwall won't do what you need it to do. 

I use OpenBSD for my firewall and NAT, and I know that I can set it up to bypass NAT. However, there's not GUI to configure anything. The nice thing is, they offer a "tutorial" on their website on how to get a basic install up and running. But configureing it to do what you need will take some thinking. I wouldn't go this route unless you had time to play around.


----------



## jvigil (Aug 23, 2004)

I agree. Sometimes you can find frontend software that applies a GUI for management purposes. However, I think that any UNIX/Linux based server is not the easiest to configure, but damn is it stable once it is up and running :chgrin: .


----------

