old-www/HOWTO/Bridge+Firewall-2.html

108 lines
3.5 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux Bridge+Firewall Mini-HOWTO version 1.2.0: What and Why (and How?)</TITLE>
<LINK HREF="Bridge+Firewall-3.html" REL=next>
<LINK HREF="Bridge+Firewall-1.html" REL=previous>
<LINK HREF="Bridge+Firewall.html#toc2" REL=contents>
</HEAD>
<BODY>
<A HREF="Bridge+Firewall-3.html">Next</A>
<A HREF="Bridge+Firewall-1.html">Previous</A>
<A HREF="Bridge+Firewall.html#toc2">Contents</A>
<HR>
<H2><A NAME="What and Why (and How?)"></A> <A NAME="s2">2. What and Why (and How?)</A></H2>
<P>
<P>
<H2><A NAME="What"></A> <A NAME="ss2.1">2.1 What</A>
</H2>
<P>A bridge is an intelligent connecting wire betwen two network cards.
A firewall is an intelligent insulator.
<P>
<H2><A NAME="Why"></A> <A NAME="ss2.2">2.2 Why</A>
</H2>
<P>You might want a bridge if you have several computers:
<P>
<OL>
<LI>
<A NAME="bridge1"></A> to save the price of a new hub when you just happen
to have an extra ethernet card available.
</LI>
<LI>
<A NAME="bridge2"></A> to save the bother of learning how to do
IP-forwarding and other tricks when you _have_ two cards in your
computer.
</LI>
<LI>
<A NAME="bridge3"></A> to avoid maintenance work in the future when
things change around!
</LI>
</OL>
<P>
<P>``Several computers'' might be as few as three if those are
routing or bridging or just moving around the room from time to time! You
also might want a bridge just for the fun of finding out what it does.
<A HREF="#bridge2">2</A> was what I wanted a bridge for.
<P>
<P>If you are really interested in
<A HREF="#bridge1">1</A>, you have to be one of the
very few. Check the
<A HREF="ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/NET-2-HOWTO">NET-2-HOWTO</A> and the
<A HREF="ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/Serial-HOWTO">Serial-HOWTO</A> for better tricks.
<P>
<P>You want a firewall if
<P>
<OL>
<LI> you are trying to protect your network from
external accesses, or
<A NAME="firewall1"></A>
</LI>
<LI> you are trying to deny access to the world
outside from your network.
<A NAME="firewall2"></A>
</LI>
</OL>
<P>
<P>Curiously, I needed
<A HREF="#firewall2">2</A> here too. Policy at my university
presently is that we should not act as internet service providers to
undergraduates.
<P>
<H2><A NAME="How?"></A> <A NAME="ss2.3">2.3 How?</A>
</H2>
<P>I started out bridging the network cards in a firewalling machine
and ended up firewalling without having cut the bridge. It seems to work
and is more flexible than either configuration alone. I can take down the
firewall and keep bridging or take down the bridge when I want to be more
circumspect.
<P>
<P>I would guess that the bridge code lives just above the physical device
layer and the firewalling code lives one layer higher up, so that the bridging
and firewalling configurations effectively act as though they are running
connected together ``in sequence'' and not ``in parallel''
(ouch!). Diagram:
<P>
<BLOCKQUOTE><CODE>
<PRE>
-&gt; Bridge-in -&gt; Firewall-in -&gt; Kernel -&gt; Firewall-out -&gt; Bridge-out -&gt;
</PRE>
</CODE></BLOCKQUOTE>
<P>
<P>There is no other way to explain how one machine can be a
``conductor'' and an ``insulator'' at the same time. There are a few
caveats but I'll come to those later. Basically you must route packets
that you want to firewall. Anyway, it all seems to work together nicely
for me. Here is what you do ...
<P>
<HR>
<A HREF="Bridge+Firewall-3.html">Next</A>
<A HREF="Bridge+Firewall-1.html">Previous</A>
<A HREF="Bridge+Firewall.html#toc2">Contents</A>
</BODY>
</HTML>