• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 483
  • Last Modified:

Transparent Bridge Firewall.

Hi, I have a transparent bridge in front of my network.  Behind it are about 10 servers, all services from web to mail to ftp to MySQL.  I am trying to implement a firewall on the bridge.  The only problem is I cant get the firewall to pass the bridged packets unless I allow all bridged packets through.  Now if I do that then there is no point in having a firewall there because all the packets are going to br bridged.  What am I doing wrong?  Here are the rules I have so far:

00500 allow udp from any 53 to any 1024-65535 bridged
00550 allow log udp from any to any 53 bridged
00557 allow log tcp from any 25,80,443 to any bridged
00578 allow log tcp from any to any 25,80,443 bridged
00579 allow log icmp from any to any bridged icmptypes 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
65534 deny log ip from any to any

These rules dont allow me to view a website or get mail from a server behind the bridge.

In the firewall log I get tons of these:

65534 Deny MAC in via dev0

All I would like to know how to do is pass the services through the bridge but block all other ports that I dont specifically open.

Any help is greatly appreciated.

  • 2
2 Solutions

Have you removed IP addresses for your interfaces and setup bridge and specified your interfaces to be used for bridging?

seanostephensAuthor Commented:
Yup, the bridge works fine.  And If I add this rule:

##### allow ip from any to any bridged.

then the firewall lets me through.  However I do believe that this is pointless, because all the packets that come through are going to be bridged.  So the firewall would be useless?  Right?

Okie....When you are bridging does the specific device posses the knowledge of a firewall..If i am not wrong only Lucent Brick have got the ability to do firewalling job under bridge mode...
And if my guess is correct you are using FreeBSD/BDS box as ur firewall..
If so ur statements may look like
00500 allow udp from any 53 to any 1024-65535 in
00550 allow log udp from any to any 53 in

Correct me if its a stupid guess..:)
seanostephensAuthor Commented:
Yup your right on.  I dont know if the device possesses  knowledge of the firewall???  How would I find out?  The bridge is the same machine as the firewall, so how would it not know?  

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now