Gentoo Archives: gentoo-user

From: James <wireless@×××××××××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] bridge:: ebtables & bridge-utils
Date: Wed, 28 Oct 2015 12:49:14
1 Hello,
3 So I'm building up a transparent bridge to filter out various
4 types of nefarious packets, common to ddos and other attack vectors. I
5 found a straightforward, Debian centric document [1]. The bridge will sit
6 closer to the Internet, with a third ethernet port for management and
7 updates. Key areas of the hardened kernel to configure, are most welcome.
8 Also, any suggestions, or the ebtables/iptables or other configurations and
9 scripts are welcome too. Most servers will be of the amd64 hardened profile.
10 My intial thoughts on the ethernet management interface is to only connect
11 it to the LAN segment directly during updates, and such, but other ideas on
12 bridge management are welcome. I have five static IPs.
15 Naturally, a traditional firewall router with (5) ethernet interfaces
16 will follow the bridge. The idea is to have the bridge filter out
17 the heavy traffic and let the firewall router have an easier time
18 and afford some 'fine grained' rulesets without overwhelming the
19 cpu/ram resources. Beside the incoming (1) net interface[ it will have
20 separate ethernet interfaces for (2) dns, (3) mail and (4) web servers as
21 well as the (5) lan. With separate zones, I can put a sniffer on any of the
22 zones and look for issues related to that interface zone and the limited
23 services running therein. Any current example iptables configurations for
24 such a firewall are most welcome. I hope we can end up with a reference
25 configuration in the gentoo wiki, after some community inputs and
26 refinements, including basic diagrams.
30 All input is welcome,
31 James
34 [1]