1 |
Hello, |
2 |
|
3 |
So I'm building up a transparent bridge to filter out various |
4 |
types of nefarious packets, common to ddos and other attack vectors. I |
5 |
found a straightforward, Debian centric document [1]. The bridge will sit |
6 |
closer to the Internet, with a third ethernet port for management and |
7 |
updates. Key areas of the hardened kernel to configure, are most welcome. |
8 |
Also, any suggestions, or the ebtables/iptables or other configurations and |
9 |
scripts are welcome too. Most servers will be of the amd64 hardened profile. |
10 |
My intial thoughts on the ethernet management interface is to only connect |
11 |
it to the LAN segment directly during updates, and such, but other ideas on |
12 |
bridge management are welcome. I have five static IPs. |
13 |
|
14 |
|
15 |
Naturally, a traditional firewall router with (5) ethernet interfaces |
16 |
will follow the bridge. The idea is to have the bridge filter out |
17 |
the heavy traffic and let the firewall router have an easier time |
18 |
and afford some 'fine grained' rulesets without overwhelming the |
19 |
cpu/ram resources. Beside the incoming (1) net interface[ it will have |
20 |
separate ethernet interfaces for (2) dns, (3) mail and (4) web servers as |
21 |
well as the (5) lan. With separate zones, I can put a sniffer on any of the |
22 |
zones and look for issues related to that interface zone and the limited |
23 |
services running therein. Any current example iptables configurations for |
24 |
such a firewall are most welcome. I hope we can end up with a reference |
25 |
configuration in the gentoo wiki, after some community inputs and |
26 |
refinements, including basic diagrams. |
27 |
|
28 |
|
29 |
|
30 |
All input is welcome, |
31 |
James |
32 |
|
33 |
|
34 |
[1] |
35 |
http://www.blog.turmair.de/2012/02/a-transparent-firewall-for-intrusion-prevention-and-ddos-mitigation/ |