# HOWTO: Bridging, Transparent Firewalls and IPS

## nikolei

version 0.1, first version 2004/05/03 

Bridging, Transparent Firewalls and Intrusion Prevention

Contents:

1 What is Bridging?

2 Installing a Bridge

3 Configuring a Bridge

4 What is a Bridging Firewall?

5 Installing a Bridging Ebtables Firewall

6 Configuring a Bridging Ebtables Firewall

7 Installing a Bridging Iptables Firewall

8 Configuring a Bridging Iptables Firewall

9 What is an Intrusion Prevention System?

10 Installing an Intrusion Prevention System

11 Configuring an Intrusion Prevention System

 1 What is Bridging?

A bridge is a network device, that connects two network segments of any network type (ethernet, token ring etc.) transparently to form one subnet. Transparency means, that you do not have to tell any component (computer, application etc.) that there is a new device between them. So, no configuration on them is needed. And your bridge is really stealthy, because it does not need any IP address. 

You can easily build a bridge using a computer with at least two network interfaces. Here, in this section, I want to decribe howto setup a bridge using Linux (here wirth kernel 2.4.24), because based on the transparency characteristics of a bridge, you can build security enhancing network devices like bridging (transparent) firewalls and intrusion prevention systems. 

2 Installing a Bridge

There are two things to do. First, you have to install the bridge-utils. Under gentoo you just type: 

```
emerge bridge-utils
```

If your distribution is not shiped with bridge-utils, then you can download them from sourceforge. You can configure, compile and install bridge-utils the standard way. 

The second thing to do is to prepare the kernel. Fortunately, you have to activate all drivers you need to run your box properly. In addition, you have to active (this depends on the development status of the kernel features): 

Code maturity level options --> Prompt development and/or incomplete code/drivers

Networking options --> 802.1d Ethernet Bridging

Then simply recompile and install your new kernel. Reboot. If you are using modules, then load them! 

3 Configuring a Bridge

Configuring a bridge a really straightforward. See table 1. 

Table 1: Configuring the Bridge	

```
$ ifconfig eth0 0.0.0.0 up

$ ifconfig eth1 0.0.0.0 up

$ brctl addbr br0

$ brctl addif br0 eth0

$ brctl addif br0 eth1

$ ifconfig br0 0.0.0.0 up
```

Now you have a network device, that forwards traffic between two network segments transparently. But what do the commands in table 1 do exactly? With the first two lines, you bring the two ethernet interfaces eth0 and eth1 up, without assigning an IP address to them. The 0.0.0.0 garantees, thet even if an IP address was assigned at startup, it will be overwritten. In the third line a new device, here a bridge, called br0 is created. Lines 4 and 5 add the two interfaces eth0 and eth1 to our bridge br0. In the last line, we bring our bridge br0 up. Again, we assign no IP address to it. 

4 What is a Bridging Firewall?

A bridging firewall is also often called a transparent firewall and some benefits come with its' design: 

Zero configuration. From a networking standpoint, there are virtually no changes. How can this be? Easy, the bridging firewall is plugged in-line with the network it is protecting. This means you can put it between two routers, or a router and a switch. You could even put it in front of a single machine. While it might be placed exactly where it should be if it were acting as a gateway or router, it's not. Remember, it merely moves frames after inspecting them between interfaces. This means that there's no need to make any changes to your existing network. It is completely transparent. No subnetting headaches or configuration updates are required with this device.

Performance. Because they are simpler devices, there's less processing overhead. This cost cutting either boosts the capabilities of the machines or allows for deeper examination of the data.

Stealth. A key aspect of this device is the fact that it operates at layer 2 of the OSI model. This means the network interfaces have no IP addresses. Such a feature carries more weight than merely ease of configuration. Without an IP address, this device is unreachable and invisible to the outside world. If it cannot be reached, how can anyone attack it? No network probes, denial of service floods or firewalking on this machine. Your attackers won't even know it's in place, silently inspecting everything they send.

The are two possibilities to realize a bridging firewall: with ebtables or with iptables. In ebtables the focus is more on OSI layer 2-3, where in iptables it is more on ISO layer 3-4. Ebtables might be more suitable in scenarios, where the bridge connects two network segments within one subnet, where iptables might be more suitable where the bridge is placed before a router that connects the subnet to another net. 

5 Installing a Bridging Ebtables Firewall?

First of all you need a bridge. Above I have decribed how to install and configure it. Secondly you have to install the ebtables packages. Under gentoo just do a 

```
emerge ebtables
```

But keep in mind, that this package is masked. If this package is not shipped with your distribution, then download it from  sourceforge. You can configure, compile and install ebtables the standard way. ebtables can be seen as a replacement for iptables. But it uses other tables within the kernel. 

The next step is to enhance the kernel with the ebtables-brnf-patch (not necessary for kernel 2.6, because it is already in there). You can download it from sourceforge. Decompress it and the patch your kernel with the corresponding version of ebtables-brnf: 

```
patch -p1 <patch_file 
```

Within the kernel you have to activate: 

Networking options --> Network packet filtering (replaces ipchains)

Networking options --> 802.1d Ethernet Bridging

Networking options --> 802.1d Ethernet Bridging --> Bridge: ebtables (NEW)

Then a list of options for ebtables pops up. you can select, for simplicity, all of them. Then simply recompile, and install your new kernel. Reboot. If you are using modules, then load them! 

6 Configuring a Bridging Ebtables Firewall?

The bridge is now running and the kernel already prepared for configuring a firewall via ebtables. The best is always to have a real life example to show how it works. My example will be based on the following environment: 

There is a NAT-Router with the IP address 192.168.1.1 playin the role of a gateway all clients within the subnet 192.168.1.0/24 and connection them to the internet

On the NAT-Router runs an DNS forwarder, so that he is the DNS server for all clients in the subnet.

The subnet 192.168.1.0/24 is divided into two parts. The clients within the first part of the subnet are directly connected to the NAT router via a switch. The clients of the second part of the subnet are connected with the first part of the subnet via our new bridge.

There is a client in the second part of the subnet with the IP address 192.168.1.52. This client wants to surf the WWW. So it has to pass the bridge and the NAT router.

Table 2: Configuring the Bridging Ebtables Firewall

```
$ ebtables -P FORWARD DROP

$ ebtables -A FORWARD -p 0x806 -j ACCEPT

$ ebtables -A FORWARD -p 0x800 --ip-dst 192.168.1.52 --ip-proto tcp --ip-sport 80 -j ACCEPT

$ ebtables -A FORWARD -p 0x800 --ip-src 192.168.1.52 --ip-proto tcp --ip-dport 80 -j ACCEPT

$ ebtables -A FORWARD -p 0x800 --ip-src 192.168.1.52 --ip-dst 192.168.1.1 --ip-proto udp --ip-dport 53 -j ACCEPT

$ ebtables -A FORWARD -p 0x800 --ip-src 192.168.1.1 --ip-dst 192.168.1.52 --ip-proto udp --ip-sport 53 -j ACCEPT
```

The syntax of ebtables is quite similar to the one of iptables.Because we are using briding, that has in our case a lot of similarities to routing, we have to configure only our FORWARD chain. In the first line we set our default policy to DROP, meaning, that all packages not matching any other rule, are dropped by default. The second line says, that our bridging firewall will let ARP packages pass. The parameter -p is used to specify a protocol in hex. 0x806 is ARP (Address Resolution Protocol). This is needed, because the clients within a subnet communicate based on layer 2 of the OSI model. And so they have to find the MAC addresses based on the IP addresses they know. 

In the third and fourth line we grant the client 192.168.1.52 to do surf the WWW. -p 0x800 is the well known Internet Protocol (IP). --ip-dst and --ip-src give the destination and source IP respectively. --ip-proto specifies the IP protocol, here TCP. With --ip-dport and --ip-sport we specify the destination and sourceport, here port 80 (the standard port for http traffic). 

The last two lines eneble the client 192.168.1.52 to do dns requests. The NAT router 192.168.1.1 serves as a DNS forwarder. In this case the source and destination addresses are well known. The IP protocol used is UDP and the port on the NAT router serving DNS is 53. 

Configured this way, our bridging firewall will only let one client through and will enable him to surf in the WWW. 

7 Installing a Bridging Iptables Firewall?

First of all you need a bridge. Above I have decribed how to install and configure it. Secondly you have to install the iptables packages. Under gentoo just do a 

```
emerge iptables 
```

The software is shiped with really every distribution. So you do not need to download it. 

Within the kernel you have to activate at least the following options: 

Networking options --> Network packet filtering (replaces ipchains)

Networking options --> IP: Netfilter Configuration --> Connection Tracking (required for masq/NAT)

Networking options --> IP: Netfilter Configuration --> IP tables support (required for filtering/masq/NAT)

Networking options --> IP: Netfilter Configuration --> Connection state match support

Networking options --> IP: Netfilter Configuration --> Connection tracking match support

Then simply recompile, and install your new kernel. Reboot. If you are using modules, then load them! 

8 Configuring a Bridging Iptables Firewall?

Because iptables is well documented (and there is also a howto on linuxsecure) I will not go into detail here. I will only show a very small example here that uses connection tracking. The bridged iptables firewall will only let connections from client 192.168.1.52 out (willforward them) but no connections in. See table 3 for details. 

Table 3: Configuring the Bridging Iptables Firewall	

```
$ iptables -P FORWARD DROP

$ iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$ iptables -A FORWARD -s 192.168.1.52 -m state --state NEW -j ACCEPT
```

The first line in table 3 configures the default policy. Any traffic, that is not matched by a rule is dropped. The next two lines tell iptables to let only packets in that belong to an existing connection or are related to it. As configured in line 3, new connections can only be established from client 192.168.1.52. 

9 What is an Intrusion Prevention System?

I have already written a few lines about Intrusion Detection System (IDS) here. One big point about flexible responses I have made there, is that despite the practicability of flexible responses, it is not fast/reliable enough. So If you want it, then you have to implement IDS with flexible response (or something similar) onto a router. A bridge is very similar to a router. It is a single entry or exit point to a network segment. So all traffic going in or out has to go through it. If you install an Intrusion Detection System on a bridge (or router) and if you configure it in a way, that it will not forward packages identified as containing an attack signature, then you have an Intrusion Prevention System (IPS). 

10 Installing an Intrusion Prevention System

Here, I will show how to install an IPS on a bridge. Installing one on a router is quite the same. First, we have to set up the bridge, as shown above. Then we have to download snort_inline from sourceforge. Then just do 

```
./configure --enable-inline 

make

make install
```

Because snort_inline receives the network packages via iptables, we have to activate userspace queueing in the kernel: 

Networking options --> Network packet filtering (replaces ipchains)

Networking options --> IP: Netfilter Configuration --> Userspace queueing via Netlink (EXPERIMENTAL) (NEW)

Then simply recompile, and install your new kernel. Reboot. If you are using modules, then load them! 

11 Configuring an Intrusion Prevention System

The configuration of snort_inline is nearly the same as for snort, exept for the rule types. There are three new rule types, namely drop, reject, and sdrop: 

The drop rule will tell iptables to drop the packet and log it via usual snort means.

The recet rule type will tell iptables to drop the packet, log it via usual snort means, and send a TCP reset if the protocol is TCP or an icmp port unreachable if the protocol is UDP.

The sdrop rule type will tell iptables to drop the packet. Nothing is logged.

Now we have to tell iptables to sent all packages going through the bridge to the table QUEUE, so that snort_inline can get them from there. This can be archived with the commands in table 4. 

Table 4: Preparing Iptables for Snort_Inline	

```
$ IPTABLES -P FORWARD DROP

$ IPTABLES -A FORWARD -j QUEUE
```

The first line is not really necessary. The second line configures netfilter to push all packages in the FORWARD chain in to the table QUEUE. 

What we have to do now is to change some of the rules in a way, that network packages matching attack signatures are not only detected, but also droped, so that they will never arrive at the target host. For example, we can prohibit packages matching the ICMP PING NMAP signature by simply changing the rule 

```
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;)
```

to 

```
drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;) 
```

Within snort_inline the rule application order has changed, in order to get intrusion prevention functionality. The new rule application order is now: 

->activation->dynamic->drop->sdrop->reject->alert->pass->log

To start snort in inline mode, we have to use the new switch Q, meaning, that snort will not receive packages by sniffing on the wire, but via iptables: 

```
snort_inline -QDc /etc/snort_inline/snort.conf -l /var/log/snort_inline 
```

where /var/log/snort_inline is the directory, where snort logs the alerts/drops.Last edited by nikolei on Mon May 10, 2004 5:32 am; edited 2 times in total

----------

## Insanity5902

Thanks for the article ... I am going to be building my router/firewall/bridge within the next month.  This article explained a lot to me.  Very useful, I liked how you explained what the commands you are typing in are, always makes it better to know what you are doing instead of just doing it.

Anyways, I noticed one thing was 

```
$ brctl addif br0 eth0

$ brctl addif br1 eth0 
```

 suppose to be 

```
$ brctl addif br0 eth0

$ brctl addif br0 eth1 
```

----------

## nikolei

yes, you are right. i have changed this. so thanx.

maybe the next useful thing to add would be bandwidth shaping and quality of service.

----------

## pathose

Still not quite right:

```
$ brctl addif br0 eth0

$ brctl addif br0 eth0

```

Should be:

```
$ brctl addif br0 eth0

$ brctl addif br0 eth1

```

----------

## bbandeira

How i setup the  briding firewall with nat ? I need that my workstations access the internet ...  :Laughing:   I don't known why this not works... Take a look....  :Crying or Very sad:   The bridge works!!!!

brctl addbr br0

brctl addif br0 eth0

brctl addif br0 eth1

brctl addif br0 eth2

ifconfig eth0 0.0.0.0 promisc

ifconfig eth1 0.0.0.0 promisc

ifconfig eth2 0.0.0.0 promisc

ifconfig br0 200.x.x.x netmask 255.255.255.x

ip addr add 192.168.0.1 dev br0 (second ip for firewall)

route add default gw 200.x.x.y --> (IP address router)

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 (Internet interface) -j SNAT --to-source 200.x.x.x (firewall ip real)

----------

## Kriptek

little bump...

I am wondering the same thing as bbandeira, anyone have some good info on setting up a bridging firewall w/ nat?

Thanks,

kriptek

----------

## GenKiller

 *Kriptek wrote:*   

> I am wondering the same thing as bbandeira, anyone have some good info on setting up a bridging firewall w/ nat?
> 
> 

 

NAT is usually done with routing, not bridging.  Think of a bridge as a hardware hub/switch that you can buy in a store.  You would use a bridge firewall if you had a range of internet IP address for servers that you wanted behind a firewall (ie. each computer has a public IP address).  Routing is used when you want each of those computer to have private (ie. internal) IP addresses.

To get to allow all the computers behind your firewall to get to the internet, if I'm understanding you right, you will want to build a router, not a bridge.

Please correct me if I am mistaken.

----------

## Double Click

Is there any special consideration I have to take when I want to install some monitoring tool like MRTG and have it display the results via APACHE on the same server ?

----------

## Double Click

If I would be to install SQUID on a bridge how to i deal with the redirection? Do i first tell the bridge to redirect anything on port 80 (with ebtables) on the local machine and then with iptables to redirect to 3128 ? 

```
# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT 
```

```
# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 
```

? ? ? ?

I just wanna get as much info as possible before I try this . .. . ...

----------

## Double Click

Me again  :Embarassed: 

So a bridge does not havea IP. Can I run emerge from the bridge to install additional packages once the brige is up and running ? If I want to setup MRTG to monitor the bridge (e.g. will apache bind on 0.0.0.0 for instance) how on earth do I start with it and what is the relationship with SNMP on a bridge itself by the way ?

Bridging does seem to be a answear to a lot of prayers but there is a also so many questions for a n00b like me - I hate diving in the deep end and ending up getting frustrated, hating myself, spending endless hours in front of a problem etc ect  :Sad: 

Is there anybody out there that can help me on the right track please ... 

PS: Can I do all the kernel config options in this guide right in the beginning ( for instance when installing a new Gentoo computer ) and then do all the command line stuff ?

PPS: Is the Author of the guide open for contributions ....  :Wink: 

----------

## Xamindar

Just a suggestion and heads up.

This howto is probably in need of an update.

On my new gentoo bridge I noticed there is a "/etc/init.d/bridge" startup script.  Possibly installed with bridge-utils?

All I had to do to get bridging working is to: 

1) add it to my default runlevel

2) edit /etc/conf.d/net and have my interfaces set to an ip of 0.0.0.0

3) edit /etc/conf.d/bridge and tell it the name of the bridge device and the network devices included in it.  (It has an example)

*4) and possibly create a /etc/init.d/net.br0 (br0 being what I called my bridge in /etc/conf.d/bridge) by linking to net.eth0 and adding it to my default runlevel.  I say possibly because I have not tested this part yet.  Without this the bridge is not brought up so I had to manually bring it up by "ifconfig br0 0.0.0.0 up".  Also add a section for br0 (or your bridge name) in /etc/conf.d/net.  I haven't rebooted my bridge yet to test this last point.  I will tonite though and then post back.

Doing those steps got me a bridge up and running that just forwards everything between the interfaces.  Next I need to set up a firewall  :Wink: 

----------

## Xamindar

My bridge is working on reboots and /etc/init.d/net.br0 is not in my runlevels, so step 4 of mine is probably not needed.

----------

## seringen

how or can this work for a family in three locations all with dsl connections that all want to be on the same subnet for shared directories and stuff like that.  Or do I need somehting completely different?

----------

## Double Click

Hi Xamindar .....

Thanks for the advice - I will also start with mine as soon as I am finished installing my Gentoo computer that I will be using for the bridge. I am stuck at emerge --sync and/or emerge webrsync ... really bad internet connection - can one run the emerge- webrsync so it can use another proxy ?

Anyway .... did you manage to install anything on the bridge besides SQUID ? I was wondering if one could install MRTG/APACHE2 and maybe also MYSQL ?

I am really itching to try this out as bridging firewall seems to be the most elegant solution. Why do NAT when a router is already doing it ? But I am concerned that a bridge firewall will be to "specialized " and one cannot monitor it properly or install anything on it ....

Let me know please how it goes - is the auther of the original document still around - or anybody with experience with bridging firewalls ?

----------

## Double Click

Okay .... mine does not work. Here is the scenario:

Everything worked fine when i assigned the eth0 and eth1 to the new bridge br0. I started to notice something was wrong when typing 

```
brctl showmacs br0
```

 only showed me the two build in MAC addresses. Figured that I did not use the correct cable I verified that the cable from the test workstation to the bridge (eth0)is a crossover and the the cable from the bridge (eth1) to the LAN switches is a normal cable. Waited for a while then (about 15 minutes) and tried pinging my default gatway and any other nodes on the LAN and also pinging from the LAN to the workstation that is behind the bridge. Both of them don't work.

When I type in 

```
ifconfig br0 0.0.0.0 up
```

 I see a bunch of MAC addresses appering. But still I cannot ping anything and nothing can ping the workstation behind the bridge.

Tried to also compile the bridge option in the kernel as a module or directly into the kernel. Both option do not work.

With all options, when i bring up the br0 interface via 

```
ifconfig br0 0.0.0.0 up
```

, it start showing MAC addresses with increasing ageing timer.

I also tried both options from the Auhor of this post and the way Xamindar suggested and both give me the same results.

 :Confused:   :Confused:  What on earth am I missing  :Confused:   :Confused: 

Did you anything different from the guide Xamindar to get yours working ? Any idea what could be wrong that is it not passing anything along. There are no DMESG error codes as well and when I type in the brctl commands manually they don't return any errors.

How does one start troubleshooting this bridging story ??

My Kernel is the gentoo-dev-hardened-2.6.10-r3 sources. Network card is a Davicom and 3com.

PS: Network cards where working fine with normal IP addresses.

PPS: I noticed as well that if I do ifconfig, it shows eth0, eth1 and br0. br0 indicates that it receives something (RX) but dies not transmit anything (TX). Disabling both eth0 and eth1 leaves br0 with no MAC address (brctl showmacs br0)

----------

## Xamindar

sence this bridge is transparent you should not be able to ping anything from it because it does not have an ip address.  Have you tried pinging accross the bridge?  

For example:

<PC 192.168.1.1>----<Bridge>----<PC 192.168.1.2>

ping between those pcs and see if it works.  If you can then your bridge is working perfectly.  Also, a usefull tool would be tcpdump on the bridge.  Run tcpdump and then try pinging between the pcs and you will see tcpdump scroll the trafic on the console.  If you also want your bridge to be able to actually communicate with other pcs then you need another ethernet port for that.  So in my case I only had two ethernet ports so I had to install all the software I wanted on it before I brought up the bridge.

By the way, I am not doing transparent bridging any more because the pc I got it working on is out of pci slots and only has two nics.  It is also a 400 mhz pc which I also want to use to stream video and music into my room.  I may do this transparent thing in the future if I ever pick up an old pentium or 486 pc.  It is still my firewall though.

----------

## Double Click

Sorry for not being so clear about it but I tried in vain to ping across the bridge the whole time. Let me emerge tcpdump and see what the output is. Thanks!

Will post the tcpdump results asap.

----------

## Xamindar

can you post your /etc/conf.d/bridge and /etc/conf.d/net?

Also the output of ifconfig?

I will try to help. :Confused: 

----------

## Double Click

```
#/etc/conf.d/bridge

#

#Examples

#

bridge="br0"

#

bridge_br0_devices="eth0 eth1"

#bridge_br1000_devices="eth5 eth6"

```

```
# /etc/conf.d/net:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/net,v 1.7 2002/11/18 19:39:22 azarah Exp $

# Global config file for net.* rc-scripts

# This is basically the ifconfig argument without the ifconfig $iface

#iface_eth0="0.0.0.0"

#iface_eth1="0.0.0.0"

# For DHCP set iface_eth? to "dhcp"

# For passing options to dhcpcd use dhcpcd_eth?

#

#iface_eth0="dhcp"

#dhcpcd_eth0="..."

# For adding aliases to a interface

#

#alias_eth0="192.168.0.3 192.168.0.4"

# NB:  The next is only used for aliases.

#

# To add a custom netmask/broadcast address to created aliases,

# uncomment and change accordingly.  Leave commented to assign

# defaults for that interface.

#

#broadcast_eth0="192.168.0.255 192.168.0.255"

#netmask_eth0="255.255.255.0 255.255.255.0"

# For setting the default gateway

#

#gateway="eth0/193.220.163.1"
```

Once the computer is finished booting up I have to run:

```
ifconfig br0 0.0.0.0 up
```

And the ifconfig output after I activated br0:

```
br0       Link encap:Ethernet  HWaddr 00:06:5B:10:45:A6  

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:11 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:428 (428.0 b)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr 00:06:5B:10:45:A6  

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:74 errors:0 dropped:0 overruns:1 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:4590 (4.4 Kb)  TX bytes:0 (0.0 b)

          Interrupt:5 Base address:0xe880 

eth1      Link encap:Ethernet  HWaddr 00:80:AD:73:29:DE  

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:5 Base address:0xec00 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

```

TCPDUMP spits out a whole bunch of information when listening on br0. What excactly must I look at that it actually transfers information through br0? I did a ping across the bridge and could see the ICMP Echo request to the destination ... but that is it, no reply or anything else with ICMP.

Hope the above files and output helps  :Confused: 

----------

## Double Click

Here is the output from:

```
brctl showmacs br0
```

```
port no   mac addr      is local?   ageing timer

  1   00:01:e6:7e:0f:55   no        42.46

  1   00:01:e6:92:94:53   no       101.26

  1   00:01:e6:a8:c5:5c   no       161.75

  1   00:02:e3:54:b6:73   no       102.50

  1   00:02:e3:55:8a:c3   no       106.56

  1   00:04:23:88:a6:1d   no        38.42

  1   00:06:5b:10:45:a6   yes         0.00

  2   00:06:5b:10:45:b5   no         0.95

  1   00:08:02:8e:ee:13   no        66.75

  1   00:08:02:8f:6d:ef   no       214.80

  1   00:08:02:a6:5a:94   no       239.25

  1   00:08:21:5c:dd:db   no         0.05

  1   00:08:a3:83:68:01   no         2.13

  1   00:08:c7:4b:d9:70   no       192.70

  1   00:10:83:0b:10:1b   no        41.23

  1   00:10:dc:9f:97:b6   no        42.37

  1   00:10:dc:f8:3c:42   no       281.45

  1   00:10:dc:f9:3b:da   no       220.88

  1   00:60:fd:a8:48:9d   no        15.46

  2   00:80:ad:73:29:de   yes         0.00

  1   00:90:27:0d:20:af   no         0.05

  1   00:b0:d0:22:3b:32   no       183.78

  1   00:c0:a8:f8:45:c7   no       198.54

  1   00:c0:a8:f8:8b:ab   no        38.09

  1   00:c0:a8:fb:49:18   no         5.72

```

----------

## pagerc@gmail.com

I'm using a tun/tap setup with bridging for Qemu.

Here's what I'm doing:

tunctl -t tap0

mv /etc/init.d/net.eth0 /etc/init.d/net

ln -s net /etc/init.d/net.eth0

ln -s net /etc/init.d/net.tap0

ln -s net /etc/init.d/net.br0

# Should yield the following

$ ls -l /etc/init.d/

-rwxr-xr-x  1 root root 9.6K Feb  7 01:41 /etc/init.d/net*

lrwxrwxrwx  1 root root    3 Feb 28 04:52 /etc/init.d/net.br0 -> net*

lrwxrwxrwx  1 root root    3 Feb 28 04:30 /etc/init.d/net.eth0 -> net*

lrwxrwxrwx  1 root root    3 Feb 28 04:30 /etc/init.d/net.tap0 -> net

The net.device are the init scripts for ifconfig to startup your networking on each device.

Modify /etc/conf.d/net (these are the uncommented lines I have):

iface_br0="dhcp"

iface_eth0="0.0.0.0 promisc"

iface_tap0="0.0.0.0 promisc"

I'm dhcp'ing br0 so that it has an IP address and I can access the internet through it on my host.

/etc/conf.d/bridge:

bridge="br0"

bridge_br0_devices="eth0 tap0"

rc-update add bridge default

rc-update add net.br0 default

Now bridge will be brought up as br0.  There might be some conflict in the order these are brought up.  My guess is that you can add keywords to the init.d scripts so that bridge starts before the networking of the bridge.  That is, brctl is run via the bridge init.d script and ifconfig is run via the net.br0 script.  Hopefully this clarifies some things for people.

----------

## Double Click

 *pagerc@gmail.com wrote:*   

> I'm using a tun/tap setup with bridging for Qemu.

 

Hi pagerc@gmail.com,

I really don't have a clue what you mean  :Confused:  What is tun/tap ?

PS: Does IP forwarding need to be enabled for the bridge to work ?

----------

## Antimatter

So let me get this straigh an bridge/firewall is an ideal way to protect your network because there's no way to reach the machine unleast you physicaly install another line or have physical access to the machine via kvm switches or an 3rd ethernet out to other places?

is there any chance of seting up an hybrid bridge/firewall just in front of an router on the same machine or do they physicaly need to be seperate machine?

----------

## pagerc@gmail.com

tun/tap are faked point to point tunnel and ethernet device respectively.  I believe that the User Mode Linux project is one of the heavy users of this technology.

Essentially what you do with a bridge is connect multiple network devices to each other.  The real idea is that fake tun/tap device tun0 can be connected to real device eth0.  You can also do things like tie eth1 to eth0 via a bridge.  But for the purpose of Qemu, user mode linux, and other virtualized environments, you want to give these virtual environments what appears to be a *real* device on your network.  Since you only have one real device eth0, you setup your bridge so that the fake device tun0 pretends to exist as a real device on whatever real network eth0 is attached to.  The localhost is then able to use the bridge directly to access the real network via interface eth0, as well as your virtual device tun0.

Sorry for the late response, not really watching this post.

----------

## outspoken

don't mind me, i'm just using this space for my notes. will make a new howto for snort-inline which brings it up to date.

```

Symbol: IP_NF_CONNTRACK_NETLINK [=n]                                    x  

  x Prompt: Connection tracking netlink interface (EXPERIMENTAL)            x  

  x   Defined at net/ipv4/netfilter/Kconfig:68                              x  

  x   Depends on: NET && INET && NETFILTER && EXPERIMENTAL && IP_NF_CONNTRA x  

  x   Location:                                                             x  

  x     -> Networking                                                       x  

  x       -> Networking support (NET [=y])                                  x  

  x         -> Networking options                                           x  

  x           -> Network packet filtering (replaces ipchains) (NETFILTER [= x  

  x             -> IP: Netfilter Configuration                              x  

  x               -> Connection tracking (required for masq/NAT) (IP_NF_CON

  

  Symbol: NETFILTER_NETLINK_QUEUE [=n]                                    x  

  x Prompt: Netfilter NFQUEUE over NFNETLINK interface                      x  

  x   Defined at net/netfilter/Kconfig:10                                   x  

  x   Depends on: NET && NETFILTER && NETFILTER_NETLINK                     x  

  x   Location:                                                             x  

  x     -> Networking                                                       x  

  x       -> Networking support (NET [=y])                                  x  

  x         -> Networking options                                           x  

  x           -> Network packet filtering (replaces ipchains) (NETFILTER [= x  

  x             -> Core Netfilter Configuration                             x  

  x               -> Netfilter netlink interface (NETFILTER_NETLINK [=n]) 

  

   Symbol: NETFILTER_NETLINK [=n]                                          x  

  x Prompt: Netfilter netlink interface                                     x  

  x   Defined at net/netfilter/Kconfig:4                                    x  

  x   Depends on: NET && NETFILTER                                          x  

  x   Location:                                                             x  

  x     -> Networking                                                       x  

  x       -> Networking support (NET [=y])                                  x  

  x         -> Networking options                                           x  

  x           -> Network packet filtering (replaces ipchains) (NETFILTER [= x  

  x             -> Core Netfilter Configuration        

  

  
```

----------

## danpixley

Great how-to!  

I am having trouble building in the ebtables into my 2.6.15 kernel.  So far I have these and the kernel still complains about the module not being found when I attempt an ebtables command:

Networking ->

   Networking Options ->

      802.1d Ethernet Bridging [*]

   Network packet filtering ->

      Bridged IP/ARP packets filter [*]

      Network packet filtering debugging [*]

      Bridge: Netfilter Configuration ->

         (everything) [*]

What else is needed to compile this into my 2.6 kernel?  I also have a bunch of the iptables stuff compiled into my kernel, but I wasn't sure if it was relevant to post it here.

Thanks in advance,

Dan

Edit: It seems I forgot to compile my kernel.  I'll keep this post up as reference for anyone else who overlooks ebtables in the 2.6 kernel config.

----------

## daten

The original post looks familiar

http://www.linuxsecure.de/index.php?action=90

----------

