version 3.03 help with bridge config

gkfwb
2009-01-04
2013-03-05
  • gkfwb
    gkfwb
    2009-01-04

    I have read the cookbook section online about setting up  a bridging firewall but it was written for FWBuilder 2.06, not 3.0.4 and there are some things that I am not understanding.

    My PC is running centos 5, I have 2 interfaces right now, but once I get this working I want to move to 5.

    I setup the bridge like so on the system

    /sbin/ifconfig eth0 0.0.0.0
    /sbin/ifconfig eth1 0.0.0.0
    /usr/sbin/brctl addbr homebridge
    /usr/sbin/brctl addif homebridge eth0
    /usr/sbin/brctl addif homebridge eth1
    /sbin/ifconfig homebridge 192.168.1.5 netmask 255.255.255.0 up
    echo "1" > /proc/sys/net/ipv4/ip_forward
    route add default gw 192.168.1.1 homebridge

    In FWBuilder I have the following configured
    [] Firewalls
       - homebridge *
        - eth0 ( unnum )
        - eth1 ( unnum )
        - bridge ( ext )    - mgmt int,int is external, regular int
       HomeBridge firewall settings are
        accept tcp sessions opened prior to firewall restart
        accept ESTABLISHED and RELATED
        Drop packets that are with no known connection
        Bridging firewall
        Detect Shadowing

    With that said, here is where I am having a problem. I want to configure a home version similar to a netscreen in transparent mode. Each interface is a zone and I can setup rules for each zone.

    Eth0 - My Desktop
    Eth1 - Untrust
    Eth2 - Wifes PC
    Eth3 - Kids PC in livingroom

    The only way I can get this working is when I have a rule like this
    src       dest      service                                     interf      direction            action   time
    any    any     established/icmp/dns/http/https    all    bidirection    allow    any

    If i try using the actual eth0/eth1 as the source and destination, traffic no longer passes to the internet (or at least i dont see it). I have also tried various permutations of using the bridge interface as the source or destination and no luck either.

    How do I go about using Firewall Builder to controll the traffic between the interfaces such that

    src       dest      service                                     interf      direction            action   time
    eth1    eth0      any                all    incoming    deny    log
    eth0     eth1      established/icmp/dns/http/https    all    bidirection    allow    any

    thanks