?
Solved

Transparent Bridge Firewall.

Posted on 2005-03-22
4
Medium Priority
?
479 Views
Last Modified: 2013-11-16
Hi, I have a transparent bridge in front of my network.  Behind it are about 10 servers, all services from web to mail to ftp to MySQL.  I am trying to implement a firewall on the bridge.  The only problem is I cant get the firewall to pass the bridged packets unless I allow all bridged packets through.  Now if I do that then there is no point in having a firewall there because all the packets are going to br bridged.  What am I doing wrong?  Here are the rules I have so far:

00500 allow udp from any 53 to any 1024-65535 bridged
00550 allow log udp from any to any 53 bridged
00557 allow log tcp from any 25,80,443 to any bridged
00578 allow log tcp from any to any 25,80,443 bridged
00579 allow log icmp from any to any bridged icmptypes 0,3,4,5,8,9,10,11,12,13,14,15,16,17,18
65534 deny log ip from any to any

These rules dont allow me to view a website or get mail from a server behind the bridge.

In the firewall log I get tons of these:

65534 Deny MAC in via dev0

All I would like to know how to do is pass the services through the bridge but block all other ports that I dont specifically open.

Any help is greatly appreciated.

Cheers
0
Comment
Question by:seanostephens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 5

Assisted Solution

by:tmehmet
tmehmet earned 960 total points
ID: 13607297

Have you removed IP addresses for your interfaces and setup bridge and specified your interfaces to be used for bridging?

0
 

Author Comment

by:seanostephens
ID: 13612445
Yup, the bridge works fine.  And If I add this rule:

##### allow ip from any to any bridged.

then the firewall lets me through.  However I do believe that this is pointless, because all the packets that come through are going to be bridged.  So the firewall would be useless?  Right?

0
 
LVL 12

Accepted Solution

by:
srikrishnak earned 1040 total points
ID: 13612683
Okie....When you are bridging does the specific device posses the knowledge of a firewall..If i am not wrong only Lucent Brick have got the ability to do firewalling job under bridge mode...
And if my guess is correct you are using FreeBSD/BDS box as ur firewall..
If so ur statements may look like
00500 allow udp from any 53 to any 1024-65535 in
00550 allow log udp from any to any 53 in

Correct me if its a stupid guess..:)
0
 

Author Comment

by:seanostephens
ID: 13614300
Yup your right on.  I dont know if the device possesses  knowledge of the firewall???  How would I find out?  The bridge is the same machine as the firewall, so how would it not know?  
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question