I put a bridging firewall together last winter (with some help) and have it in
production in front of a couple windows web and mail servers for going on 6
months now. I used Fedora C1 with 2.4.22 kernel and 0.9.6 bridge-utils. The
bridge has solved a lot of security headaches. I use a modified startup script
written by David Whitmarsh that has worked really well.
http://www.sparkle-cc.co.uk/firewall/rc.firewall.sh.txt
Now that Fedora C2 has the 2.6 kernel (2.6.5-1.358) I figured I'd try it on
a test machine. I loaded the 0.9.6 bridge-utils rpm that came with it, for
simplicity, and double checked the networking files to make sure eth0 and eth1
were set up correctly without IPs. I then ran these commands in bash and the
bridge came up perfectly.
-------------------------------------
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
ifconfig br0 192.168.1.14 up
---------------------------------------
I could see across the bridge from both sides, and thought this is too easy.
Then I dropped the startup script I've been using in /etc/rc.d and started
running into problems. I found out modules are handled a little differently now
(modutils to module-init-tools) so the iptables has to be handled a little
differently. But what's got me is the errors popping up when trying to start
the bridge from this script I'm testing with (syntax OK)
--------------------------------------
#!/bin/sh
BR_IP=3D"192.168.1.14"
BR_IFACE=3Dbr0
INET_IFACE=3D"eth1"
LAN_IFACE=3D"eth0"
#
brctl addbr $BR_IFACE
brctl addif $BR_IFACE $INET_IFACE
brctl addif $BR_IFACE $LAN_IFACE
ifconfig $INET_IFACE 0.0.0.0
ifconfig $LAN_IFACE 0.0.0.0
ifconfig $BR_IFACE up
--------------------------------------
which works fine with the 2.4 kernel but errors out with
--------------------------------------
[root@test root]# sh /etc/rc.d/rc.bridge
SIOCSIFADDR: No such device
: unknown interface: No such device
SIOCSIFADDR: No such device
: unknown interface: No such device
doesn't exist!
doesn't exist!
: Host name lookup failure
ifconfig: `--help' gives usage information.
--------------------------------------
on this test box. I believe this is a similar problem to the one noted a few
days ago by Harald K=FCthe
http://lists.osdl.org/pipermail/bridge/2004-June/000382.html (although I'm
using the 0.9.6 bridge-utils) regarding where SIOCGIFCONF only lists interfaces
that have IP addresses. I tried adding IPADDR=3D0.0.0.0 to ifcfg-eth0 and
ifcfg-eth1 but it had no effect. Fedora uses glibc so the patch for uClibc
wasn't useful. What I don't understand is how the same commands can be
typed into a shell, but won't work in the script?
Pardon my ignorance, as I'm just learning Linux and trying to muddle my way
through, but any pointers would be appreciated. I'd also appreciate any
suggestions on how to handle the iptables rules in a startup script.
Thank you,
Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.linux-foundation.org/pipermail/bridge/attachments/20040608/13c060d8/attachment-0002.htm
