108 lines
3.5 KiB
HTML
108 lines
3.5 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux Bridge+Firewall Mini-HOWTO version 1.2.0: What and Why (and How?)</TITLE>
|
|
<LINK HREF="Bridge+Firewall-3.html" REL=next>
|
|
<LINK HREF="Bridge+Firewall-1.html" REL=previous>
|
|
<LINK HREF="Bridge+Firewall.html#toc2" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Bridge+Firewall-3.html">Next</A>
|
|
<A HREF="Bridge+Firewall-1.html">Previous</A>
|
|
<A HREF="Bridge+Firewall.html#toc2">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="What and Why (and How?)"></A> <A NAME="s2">2. What and Why (and How?)</A></H2>
|
|
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="What"></A> <A NAME="ss2.1">2.1 What</A>
|
|
</H2>
|
|
|
|
<P>A bridge is an intelligent connecting wire betwen two network cards.
|
|
A firewall is an intelligent insulator.
|
|
<P>
|
|
<H2><A NAME="Why"></A> <A NAME="ss2.2">2.2 Why</A>
|
|
</H2>
|
|
|
|
<P>You might want a bridge if you have several computers:
|
|
<P>
|
|
<OL>
|
|
<LI>
|
|
<A NAME="bridge1"></A> to save the price of a new hub when you just happen
|
|
to have an extra ethernet card available.
|
|
</LI>
|
|
<LI>
|
|
<A NAME="bridge2"></A> to save the bother of learning how to do
|
|
IP-forwarding and other tricks when you _have_ two cards in your
|
|
computer.
|
|
</LI>
|
|
<LI>
|
|
<A NAME="bridge3"></A> to avoid maintenance work in the future when
|
|
things change around!
|
|
</LI>
|
|
</OL>
|
|
<P>
|
|
<P>``Several computers'' might be as few as three if those are
|
|
routing or bridging or just moving around the room from time to time! You
|
|
also might want a bridge just for the fun of finding out what it does.
|
|
<A HREF="#bridge2">2</A> was what I wanted a bridge for.
|
|
<P>
|
|
<P>If you are really interested in
|
|
<A HREF="#bridge1">1</A>, you have to be one of the
|
|
very few. Check the
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/NET-2-HOWTO">NET-2-HOWTO</A> and the
|
|
<A HREF="ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/Serial-HOWTO">Serial-HOWTO</A> for better tricks.
|
|
<P>
|
|
<P>You want a firewall if
|
|
<P>
|
|
<OL>
|
|
<LI> you are trying to protect your network from
|
|
external accesses, or
|
|
<A NAME="firewall1"></A>
|
|
</LI>
|
|
<LI> you are trying to deny access to the world
|
|
outside from your network.
|
|
<A NAME="firewall2"></A>
|
|
</LI>
|
|
</OL>
|
|
<P>
|
|
<P>Curiously, I needed
|
|
<A HREF="#firewall2">2</A> here too. Policy at my university
|
|
presently is that we should not act as internet service providers to
|
|
undergraduates.
|
|
<P>
|
|
<H2><A NAME="How?"></A> <A NAME="ss2.3">2.3 How?</A>
|
|
</H2>
|
|
|
|
<P>I started out bridging the network cards in a firewalling machine
|
|
and ended up firewalling without having cut the bridge. It seems to work
|
|
and is more flexible than either configuration alone. I can take down the
|
|
firewall and keep bridging or take down the bridge when I want to be more
|
|
circumspect.
|
|
<P>
|
|
<P>I would guess that the bridge code lives just above the physical device
|
|
layer and the firewalling code lives one layer higher up, so that the bridging
|
|
and firewalling configurations effectively act as though they are running
|
|
connected together ``in sequence'' and not ``in parallel''
|
|
(ouch!). Diagram:
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
-> Bridge-in -> Firewall-in -> Kernel -> Firewall-out -> Bridge-out ->
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
<P>There is no other way to explain how one machine can be a
|
|
``conductor'' and an ``insulator'' at the same time. There are a few
|
|
caveats but I'll come to those later. Basically you must route packets
|
|
that you want to firewall. Anyway, it all seems to work together nicely
|
|
for me. Here is what you do ...
|
|
<P>
|
|
<HR>
|
|
<A HREF="Bridge+Firewall-3.html">Next</A>
|
|
<A HREF="Bridge+Firewall-1.html">Previous</A>
|
|
<A HREF="Bridge+Firewall.html#toc2">Contents</A>
|
|
</BODY>
|
|
</HTML>
|