Implementing a bridging-level firewall

The Drawbridge

Author(s):

Firewalls are typically implemented as routers,but it doesn’t have to be that way. Bridging packet filters have a number of advantages,and you can add them to your network at a later stage without changing the configuration of your network components.

Linux has earned a reputation as an excellent firewall platform. The kernel has a powerful Netfilter/ IPtables-based packet filter. In a traditional firewall scenario, Netfilter resides on a router, where it subdivides the network into two or more subnets. But adding a firewall to an established network can involve changing the network infrastructure. This effort can result in IP address changes and modifications to access controls for internal services. It is far simpler to add a bridge. Bridges reside in layer 2 of the OSI reference model and normally inspect MAC addresses rather than IP addresses (see the box titled “Building Bridges”). Linux can leverage this capability in a clever way to add transparent firewalling to a network. Of course, the bridge evaluates packets from the higher protocol layers (IP addresses, TCP ports) in its role as a firewall. But the hosts on the network will not notice a thing, unless they attempt to send illegal packets.

Read full article as PDF:

Bridgewall_Firewalling.pdf (338.96 kB)

Related content

  • Squid Bridge

    Caching proxies remember web pages and serve them up locally, saving both money and time. The most intelligent members of this family also remove dangerous content and provide transparent bridging.

  • Firewalls Intro

    Firewalls are becoming evermore sophisticated. Luckily, the tools for managing firewalls are becoming simpler and more accessible for ordinary users

  • Bluetooth Wireless Network

    You can even use Bluetooth as an alternative form of wireless networking. We’ll show you how.

  • Networking with VirtualBox

    Tour the VirtualBox virtualization tool, a free and easy environment for virtual versions of Linux, Unix, and Windows.

  • ARP Spoofing

    Any user on a LAN can sniff and manipulate local traffic. ARP spoofing and poisoning techniques give an attacker an easy way in.

comments powered by Disqus

Direct Download

Read full article as PDF:

Bridgewall_Firewalling.pdf (338.96 kB)

News