Menu
▾
▴
[Shorewall-devel] Re: [Shorewall-users] Can I use my firewall computer as a hub?
|
From: Steve H. <he...@th...> - 2003-08-13 00:53:58
|
Noticed that I have moved this question to the development list. Now that ebtables is the bridging software of choice for the newer kernels I have been wondering if Shorewall could be extended to support bridges. It looks like you have some experience with bridges and might have some ideas. What I am interested in is the ability to use the great Shorewall configuration files to create filter rule sets for bridges. I haven't spent too much time thinking about it but as a small first step I would propose a /etc/Shorewall/bridges file with these columns: # interface 1 interface 2 bridge name bridge options eth0 eth1 br0 During Shorewall startup, the script could build the bridges. Are there any bridge options that need to be specified in this new configuration file? Once a bridge interface was known to Shorewall how would the policy and rules tables get extended to support bridges? Thanks, -- Steve Herber he...@th... work: 206-221-7262 Security Engineer, UW Medicine, IT Services home: 425-454-2399 On Tue, 12 Aug 2003, Steven Jan Springl wrote: > On Tuesday 12 August 2003 21:52, Tom Eastep wrote: > > On Tue, 2003-08-12 at 13:49, Steven Jan Springl wrote: > > > You can bridge eth1 and eth2 provided you do not want any packet > > > filtering between them (which you wouldn't if its acting like a hub). You > > > could call the bridge eth3, give it an ip address which would be the > > > default gateway for his two workstations. Shorewall could then be setup > > > to do packet filtering between eth0 and eth3. > > > > Thanks, Steven -- I wondered if that was possible. > > > > -Tom > Your welcome Tom. > I should also have said that eth1 and eth2 should be given an ip address of > 0.0.0.0. > I have been running my system at home with 3 bridged interfaces on a pristine > 2.4.21 kernel for several weeks without any problems. > > There are some very significant performance advantages when using a bridge. > My bridge/firewall is a 200mhz pentium mmx. > If I connect 2 workstations back to back, I can get transfer rates between the > 2 workstations of 10.1 MBytes per second. > > If I connect the workstations to the firewall (without bridging) and setup > Shorewall to ACCEPT everything between the 2 workstations, I get transfer > rates of about 5Mbytes per second, with the firewall cpu running at 100%. > > If I bridge the two workstations on the firewall, I get transfer rates of > 10Mbytes per second, with the cpu running at 32%. > > Steven > > > |
