| 1 |
Hello, |
| 2 |
|
| 3 |
So I'm building up a transparent bridge to filter out various |
| 4 |
types of nefarious packets, common to ddos and other attack vectors. I |
| 5 |
found a straightforward, Debian centric document [1]. The bridge will sit |
| 6 |
closer to the Internet, with a third ethernet port for management and |
| 7 |
updates. Key areas of the hardened kernel to configure, are most welcome. |
| 8 |
Also, any suggestions, or the ebtables/iptables or other configurations and |
| 9 |
scripts are welcome too. Most servers will be of the amd64 hardened profile. |
| 10 |
My intial thoughts on the ethernet management interface is to only connect |
| 11 |
it to the LAN segment directly during updates, and such, but other ideas on |
| 12 |
bridge management are welcome. I have five static IPs. |
| 13 |
|
| 14 |
|
| 15 |
Naturally, a traditional firewall router with (5) ethernet interfaces |
| 16 |
will follow the bridge. The idea is to have the bridge filter out |
| 17 |
the heavy traffic and let the firewall router have an easier time |
| 18 |
and afford some 'fine grained' rulesets without overwhelming the |
| 19 |
cpu/ram resources. Beside the incoming (1) net interface[ it will have |
| 20 |
separate ethernet interfaces for (2) dns, (3) mail and (4) web servers as |
| 21 |
well as the (5) lan. With separate zones, I can put a sniffer on any of the |
| 22 |
zones and look for issues related to that interface zone and the limited |
| 23 |
services running therein. Any current example iptables configurations for |
| 24 |
such a firewall are most welcome. I hope we can end up with a reference |
| 25 |
configuration in the gentoo wiki, after some community inputs and |
| 26 |
refinements, including basic diagrams. |
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
All input is welcome, |
| 31 |
James |
| 32 |
|
| 33 |
|
| 34 |
[1] |
| 35 |
http://www.blog.turmair.de/2012/02/a-transparent-firewall-for-intrusion-prevention-and-ddos-mitigation/ |
Archives