gkfwb - 2009-01-04

I have read the cookbook section online about setting up  a bridging firewall but it was written for FWBuilder 2.06, not 3.0.4 and there are some things that I am not understanding.

My PC is running centos 5, I have 2 interfaces right now, but once I get this working I want to move to 5.

I setup the bridge like so on the system

/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
/usr/sbin/brctl addbr homebridge
/usr/sbin/brctl addif homebridge eth0
/usr/sbin/brctl addif homebridge eth1
/sbin/ifconfig homebridge 192.168.1.5 netmask 255.255.255.0 up
echo "1" > /proc/sys/net/ipv4/ip_forward
route add default gw 192.168.1.1 homebridge

In FWBuilder I have the following configured
[] Firewalls
   - homebridge *
    - eth0 ( unnum )
    - eth1 ( unnum )
    - bridge ( ext )    - mgmt int,int is external, regular int
   HomeBridge firewall settings are
    accept tcp sessions opened prior to firewall restart
    accept ESTABLISHED and RELATED
    Drop packets that are with no known connection
    Bridging firewall
    Detect Shadowing

With that said, here is where I am having a problem. I want to configure a home version similar to a netscreen in transparent mode. Each interface is a zone and I can setup rules for each zone.

Eth0 - My Desktop
Eth1 - Untrust
Eth2 - Wifes PC
Eth3 - Kids PC in livingroom

The only way I can get this working is when I have a rule like this
src       dest      service                                     interf      direction            action   time
any    any     established/icmp/dns/http/https    all    bidirection    allow    any

If i try using the actual eth0/eth1 as the source and destination, traffic no longer passes to the internet (or at least i dont see it). I have also tried various permutations of using the bridge interface as the source or destination and no luck either.

How do I go about using Firewall Builder to controll the traffic between the interfaces such that

src       dest      service                                     interf      direction            action   time
eth1    eth0      any                all    incoming    deny    log
eth0     eth1      established/icmp/dns/http/https    all    bidirection    allow    any

thanks