Firewall Builder Bridging

Setting up a bridging firewall using Linux Ethernet Bridging and Firewall Builder

Stewart Outram <stewart at soutram.fsnet.co.uk> contributed this tutorial on setting up bridging firewall with Firewall Builder.

Thanks Stewart!

Setting up a Bridged Firewall using Firewall Builder

Background

My system is based on a Debian distro (SimplyMepis) and a Zoom ADSL Modem with built in Router. The Zoom under normal usage is capable of having a number devices on the same private subnet connected via a hub to the Lan side and is, in my case, allocated a Public IP address from my ISP during it's boot time.

Due to the fairly limited firewall capabilities of the Zoom I elected to use my Zoom as an ADSL modem, with SNAT enabled and the Firewall effectively switched off.

I decided to use Firewall Builder on one of my servers to act as the Firewall and in an ideal world this should of course be a dedicated Firewall server, but due to economics this server is also used to run a number of applications as well. I don't, however, run any services such as Web, Mail, ssh etc., either on or behind my Firewall. I do have a VPN tunnel which passes through the Firewall to my Laptop for work purposes.

You could approach this in a number of ways:

  1. Use two private subnets for eth0 and eth1 and set up the Firewall in the conventional way and enable SNAT on the Firewall. Although this clearly works it doesn't feel like an elegant solution.
  2. Use two private subnets for eth0 and eth1 and use a form of “Proxy Arp” by adding Virtual Interfaces on the Zoom side of the Firewall.
  3. Use the following method of making the Firewall server act as an Ether Bridge, and enabling Firewall Builder to act in Bridge mode.

I strongly recommend that the following work is done with the access to the Internet disconnected.

There are two phases to setting things up:

  1. Getting the Bridge software working
  2. Setting up Firewall Builder in Bridge mode
a. Getting the Bridge working

The home page for the Bridge software is http://bridge.sf.net

If, however, like me you have a Debian based O/S then you can apt-get “bridge-utils” which gives you all the additional software that you require.

These are the steps required to set up the Bridge:

  • First you need to assign eth0 and eth1 zero addresses. You can do this via ifconfig eth0 0.0.0.0 and ifconfig eth1 0.0.0.0. However, it is likely that there is a Gui tool that will enable you to do this. (You want eth0 and eth1 to be assigned zero addresses at Boot time so check whether your Gui tools will enable you to do this).
  • Create the Bridge Interface (say br0) by using “brctl addbr br0”.

  • Add the interfaces to the Bridge by using “brctl addif br0 eth0” and “brctl addif br0 eth1”.

  • Check your progress by using “brctl show
bridge name bridge id STP enabled interfaces
br0 xxxxxxxx no eth0
eth1
  • Assign the Bridge Interface br0 an IP address and start it up by using “ifconfig br0 192.168.0.1 netmask 255.255.255.0 up”.
  • Check with “ifconfig”. You should now see at least br0, eth0, eth1 and lo and br0 should have the above IP address and mask.
  • Add a route to the gateway (which should be the IP address of the Router/ADSL modem using “route add default gw 192.168.0.66”. Check using “route” that you do now in fact have a route to the Router/Modem.
Kernel IP routing table
Destination Gateway Genmask Flags Interface
192.168.0.0 * 255.255.255.0 br0
default> 192.168.0.66 0.0.0.0 br0
  • Now test that your network is fully working
  • You will have to set the gateway IP address on each of you Lan based servers to that of the Router/Modem (19.168.0.66 in my case).
  • In order to automate this process at Boot time you will have to edit one of the startup scripts. For my Debian based system I had to edit “/etc/network/interfaces”. I added the following text to this file: 
                auto br0
            iface br0 inet static
            address 192.168.0.1
            netmask 255.255.255.0
            network 192.168.0.0
            broadcast 192.168.0.255
            gateway 192.168.0.66
            pre-up /sbin/ip link set eth0 up
            pre-up /sbin/ip link set eth1 up
            pre-up /usr/sbin/brctl addbr br0
            pre-up /usr/sbin/brctl addif br0 eth0
            pre-up /usr/sbin/brctl addif br0 eth1
  • Reboot and retest that the network is working.
b. Setting up Firewall Builder in Bridged mode.

Create a Firewall with “Unnumbered interfaces” for eth0 and eth1, and a “Regular interface” for br0.

Assign br0 the IP address for the Server (192.168.0.1 for mine).

Select “Bridging Firewall” under Advanced Settings. I chose to select Firewall is NOT part of ANY. However, this can be overridden on individual Rules where appropriate.

   

Add Rules according to your requirements. Note that references to the Firewall will only include the IP address of the Interface br0. However, eth0 and eth1 can be used to indicate direction where appropriate.

E.g. Anti Spoofing on eth0 (External Interface).

N.B. Use of the External and Internal Interfaces is not currently working in Bridging mode. For this to work correctly with a Bridge the Iptables match module “-m physdev –physdev-in eth0” needs to used in place of “-i eth0”. This is planned to be implemented into Firewall Builder at version 2.1. A workround would be to edit the Anti Spoofing Rules into the Prologue section of the script via the Firewall settings.

N.B. The above Rule 1 prevents packets entering the Firewall at eth0 ( External Interface ) with a source IP address in the Private address range. However, the Zoom Router/Modem does need to be able to have access to the Firewall and Lan in order to establish Physical Addresses. Hence the need for Rule 0. Note also that the Labels assigned to the Interfaces External=eth0, Internal=eth1 appear in the tabs in the header above the Rules.

The Rules created for Rules 0,1,2 by the compiler are: 

    Rule 0 (eth0)
    #
    echo "Rule 0 (eth0)"
    #
    # Allow Zoom
    # to ALL
    #
    $IPTABLES -N eth0_In_RULE_0
    $IPTABLES -A INPUT -i eth0 -s 192.168.0.66 -m state --state NEW -j eth0_In_RULE_0 
    $IPTABLES -A FORWARD -i eth0 -s 192.168.0.66 -m state --state NEW -j eth0_In_RULE_0 
    $IPTABLES -A eth0_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
    $IPTABLES -A eth0_In_RULE_0 -j ACCEPT 
    #
    # Rule 1 (eth0)
    #
    echo "Rule 1 (eth0)"
    #
    # Anti-Spoof
    #
    $IPTABLES -N eth0_In_RULE_1
    $IPTABLES -A INPUT -i eth0 -s 10.0.0.0/8 -j eth0_In_RULE_1 
    $IPTABLES -A INPUT -i eth0 -s 192.168.0.0/16 -j eth0_In_RULE_1 
    $IPTABLES -A INPUT -i eth0 -s 172.16.0.0/12 -j eth0_In_RULE_1 
    $IPTABLES -A FORWARD -i eth0 -s 10.0.0.0/8 -j eth0_In_RULE_1
    $IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/16 -j eth0_In_RULE_1 
    $IPTABLES -A FORWARD -i eth0 -s 172.16.0.0/12 -j eth0_In_RULE_1 
    $IPTABLES -A eth0_In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY "
    $IPTABLES -A eth0_In_RULE_1 -j DROP 
    #
    # Rule 2 (eth0)
    # echo "Rule 2 (eth0)"
    #
    # Xmas Scan
    #
    $IPTABLES -N eth0_In_RULE_2
    $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j eth0_In_RULE_2 
    $IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j eth0_In_RULE_2 
    $IPTABLES -A eth0_In_RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY "
    $IPTABLES -A eth0_In_RULE_2 -j DROP

E.g. A Rule added to main Policy to allow all traffic from the Local Lan to the Firewall

NB Rule 0 allows all traffic from the Local Lan to the Firewall. Rule 1 allows Netbios Broadcasts from the Local Lan to the Firewall (required for Samba). Note that I have used an Address Object to represent the Lan Broadcast address.

The Rules created by the compiler for Rules 0,1 are: 

    #
    Rule 0 (global)
    # 
    echo "Rule 0 (global)"
    #
    # Lan>FW
    #
    $IPTABLES -A FORWARD -s 192.168.0.0/24 -d 192.168.0.1 -m state --state NEW -j ACCEPT 
    $IPTABLES -A INPUT -s 192.168.0.0/24 -d 192.168.0.1 -m state --state NEW -j ACCEPT
    #
    #
    Rule 1 (global)
    #
    echo "Rule 1 (global)"
    #
    # Lan>FW
    # Bcast
    #
    $IPTABLES -N Cid41FCC4E9.0
    $IPTABLES -A FORWARD -s 192.168.0.0/24 -d 192.168.0.255 -m state --state NEW -j Cid41FCC4E9.0 
    $IPTABLES -A Cid41FCC4E9.0 -p tcp -m tcp --dport 139 -j ACCEPT 
    $IPTABLES -A Cid41FCC4E9.0 -p udp -m udp -m multiport --dports 138,137 -j ACCEPT 
    $IPTABLES -N Cid41FCC4E9.1
    $IPTABLES -A FORWARD -s 192.168.0.0/24 -d 192.168.0.255 -m state --state NEW -j Cid41FCC4E9.1 
    $IPTABLES -A Cid41FCC4E9.1 -p tcp -m tcp --dport 139 -j ACCEPT 
    $IPTABLES -A Cid41FCC4E9.1 -p udp -m udp -m multiport --dports 138,137 -j ACCEPT 
    $IPTABLES -N Cid41FCC4E9.2
    $IPTABLES -A INPUT -s 192.168.0.0/24 -d 192.168.0.255 -m state --state NEW -j Cid41FCC4E9.2 
    $IPTABLES -A Cid41FCC4E9.2 -p tcp -m tcp --dport 139 -j ACCEPT 
    $IPTABLES -A Cid41FCC4E9.2 -p udp -m udp -m multiport --dports 138,137 -j ACCEPT

Note that this creates Rules in both the INPUT chain and also the FORWARD chain. This is because the Firewall in Bridged mode is seen as an IP address on the Lan. As a result of this it is imperative that you add the “Anti Spoofing” Rules as I have to the External Interface as above.

E.g. Rule to allow Traffic from the Local Lan to the Internet:

Here Rule 5 allows controlled traffic from the Local Lan to the Internet. Note the use of the “LAN to Net” Services Group which controls what traffic is permitted. Because I selected that the Firewall is NOT part of ANY the Rules created by the Compiler are just in the FORWARD Chain.

The Rules created by the Compiler for Rule 5 are: 

    #
    Rule 5 (global)
    #
    echo "Rule 5 (global)"
    #
    # LAN>Internet
    #
    $IPTABLES -N Cid4121319E.0
    $IPTABLES -A FORWARD -s 192.168.0.0/24 -m state --state NEW -j Cid4121319E.0 
    $IPTABLES -A Cid4121319E.0 -p tcp -m tcp --dport 6346:6349 -j ACCEPT 
    $IPTABLES -A Cid4121319E.0 -p tcp -m tcp -m multiport --dports 53,21,80,1863,888,8880,443,22,6667,2401 -j ACCEPT 
    $IPTABLES -A Cid4121319E.0 -p udp -m udp --dport 6346:6349 -j ACCEPT 
    $IPTABLES -A Cid4121319E.0 -p udp -m udp -m multiport --dports 53,500,4500,10001 -j ACCEPT 
    $IPTABLES -A Cid4121319E.0 -p 50 -j ACCEPT 
    $IPTABLES -A Cid4121319E.0 -p 51 -j ACCEPT

E.g. Catch All Rule:

A “Catch All” Rule is always useful for enabling logging of all DROPPED traffic. Note that any traffic not covered by a Rule in either the Internal, External or Policy Rules is DROPPED by default due to the overriding Policy set by the Compiler. However, adding Rule 7 ensures that all those DROPPED packets are in fact logged. Note that in this case I have added an option to the Rule to enable Logging and to select that for this Rule the Firewall is considered part of ANY. This is so that I catch all traffic on INPUT, OUTPUT and FORWARD Chains.

The Rules created by the Compiler for Rule 7 are: 

    
    #
    Rule 7 (global)
    #
    echo "Rule 7 (global)"
    #
    # Catch All
    # & Log
    #
    $IPTABLES -N RULE_7
    $IPTABLES -A OUTPUT -j RULE_7 
    $IPTABLES -A INPUT -j RULE_7 
    $IPTABLES -A FORWARD -j RULE_7 
    $IPTABLES -A RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY "
    $IPTABLES -A RULE_7 -j DROP

Software versions used
  • Firewall Builder 2.0.6 >=Build 560
  • Kernel 2.6.10
  • iptables 1.2.11

Stewart Outram

 

Copyright © 2000-2008 NetCitadel, LLC. All rights reserved.
  Free CSS Templates.