firewall on a bridge

I want to bridge two ethernet NIC with a firewall
in between that would permit only specified IP addresses
from accessing FTP on the #2 NIC (LAN).

What programs meet this requirement?

Rick Merrill

Rick Merrill <> writes:

> I want to bridge two ethernet NIC with a firewall
> in between that would permit only specified IP addresses
> from accessing FTP on the #2 NIC (LAN).
>
> What programs meet this requirement?

Bridging occurs at the data link layer (MAC address), while IP
addresses connote more of a network layer decision being made, so if I
understand your request, we'll have to throw out the use of teh word
bridge, and what I think you want is to selectively route between NIC1
(WAN/internet I suppose?) and NIC2 (LAN) based on source IP address?

What kind of box are we talking about here? Windows, Linux, an
appliance or home router?

Are you trying to set an ftp server up at home that can only be
accessed by specific folks you know based on ip address?


--
Todd H.
http://www.toddh.net/

On 20 Sep 2006 17:33:18 -0500 Todd H. may have written:
> Bridging occurs at the data link layer (MAC address), while IP
> addresses connote more of a network layer decision being made, so if I
> understand your request, we'll have to throw out the use of teh word
> bridge, and what I think you want is to selectively route between NIC1
> (WAN/internet I suppose?) and NIC2 (LAN) based on source IP address?

Nope, he wants to bridge and it's perfectly possible. Even Linux and
iptables has had this functionality for quite some years.

Firewall policy implementation without having to re-structure/touch the
network...

PD

--
Paul Day
Web: http://www.enigma.id.au/

Paul Day <> writes:

> On 20 Sep 2006 17:33:18 -0500 Todd H. may have written:
> > Bridging occurs at the data link layer (MAC address), while IP
> > addresses connote more of a network layer decision being made, so if I
> > understand your request, we'll have to throw out the use of teh word
> > bridge, and what I think you want is to selectively route between NIC1
> > (WAN/internet I suppose?) and NIC2 (LAN) based on source IP address?
>
> Nope, he wants to bridge and it's perfectly possible. Even Linux and
> iptables has had this functionality for quite some years.
>
> Firewall policy implementation without having to re-structure/touch the
> network...


I have heard of bridging firewalls (never played with em though,
obviously) but I guess I'm curious to confirm whether they'd be
appropriate to the OP's application (his goal hasn't been clearly
stated, so we don't yet know).

Don't they require that the hosts being blocked or allowed be on the
same segment so that rules can be written with respect to MAC
addresses vs wrt to IP addresses?


--
Todd H.
http://www.toddh.net/

Todd H. wrote:

> Don't they require that the hosts being blocked or allowed be on the
> same segment so that rules can be written with respect to MAC
> addresses vs wrt to IP addresses?

No. A bridging firewall doesn't care much for MAC addresses, at least not
more than any other firewall setup.

Todd H. wrote:
> Rick Merrill <> writes:
>
>
>>I want to bridge two ethernet NIC with a firewall
>>in between that would permit only specified IP addresses
>>from accessing FTP on the #2 NIC (LAN).
>>
>>What programs meet this requirement?
>
>
> Bridging occurs at the data link layer (MAC address), while IP
> addresses connote more of a network layer decision being made, so if I
> understand your request, we'll have to throw out the use of teh word
> bridge, and what I think you want is to selectively route between NIC1
> (WAN/internet I suppose?) and NIC2 (LAN) based on source IP address?
>
> What kind of box are we talking about here? Windows, Linux, an
> appliance or home router?
>
> Are you trying to set an ftp server up at home that can only be
> accessed by specific folks you know based on ip address?
>

Yes, selectivly route. and Yes, see following.

Let me clarify: I want to use a Windows XP PC with 2 NIC to act as a
firewall in front of a 3rd party Linux FTP server. (Its log file is
being bombarded with knob twisting attempts.)

I want to allow access to the FTP server to a finite number of IP
addresses (OR have a login ...)

Rick Merrill <> writes:

> Yes, selectivly route. and Yes, see following.
>
> Let me clarify: I want to use a Windows XP PC with 2 NIC to act as a
> firewall in front of a 3rd party Linux FTP server. (Its log file is
> being bombarded with knob twisting attempts.)
> I want to allow access to the FTP server to a finite number of IP
> addresses (OR have a login ...)

Hrmm. The software like this that runs on windows runs on win2k
server and 2003 server and not their desktop OS's. I'm thinking of
Checkpoint FW-1 in this thought.

Is there any reason yu have to use and XP PC? Several other options
are far more suitable to the job without the XP'ness running about,
including $60 appliances like a Linksys wrt54g running 3rd party
firmware, or using that PC hardware as a Linux firewall.


--
Todd H.
http://www.toddh.net/

Sebastian Gottschalk <> writes:

> Todd H. wrote:
>
> > Don't they require that the hosts being blocked or allowed be on the
> > same segment so that rules can be written with respect to MAC
> > addresses vs wrt to IP addresses?
>
> No. A bridging firewall doesn't care much for MAC addresses, at least not
> more than any other firewall setup.

Goes onto to my "to play with" list. Thanks for the info Sebastian
and Paul.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H. wrote:

> Rick Merrill <> writes:
>
>
>>Yes, selectivly route. and Yes, see following.
>>
>>Let me clarify: I want to use a Windows XP PC with 2 NIC to act as a
>>firewall in front of a 3rd party Linux FTP server. (Its log file is
>>being bombarded with knob twisting attempts.)
>>I want to allow access to the FTP server to a finite number of IP
>>addresses (OR have a login ...)
>
>
> Hrmm. The software like this that runs on windows runs on win2k
> server and 2003 server and not their desktop OS's. I'm thinking of
> Checkpoint FW-1 in this thought.
>
> Is there any reason yu have to use and XP PC? Several other options
> are far more suitable to the job without the XP'ness running about,
> including $60 appliances like a Linksys wrt54g running 3rd party
> firmware, or using that PC hardware as a Linux firewall.
>

Thanks for the tip.

'We go to firewall with the PC we have, not always with the PC we want.'

Hello There,

I can't remember an option in Checkpoint to do transparent or bridge
firewall.

Cisco PIX (at least the FWSM blade, not yet checked for the same in PIX 7)
has a functionnality called transparent firewall. you can then put
access-list based on IP or MAC.

OpenBSD can also do it, as well as Linux.

If this is a intensively used server, I would advice switching to a *nix
variant and not to Windows, which may show its limits "at peak".

Regards,
Jean-François Gobin

"Rick Merrill" <> a écrit dans le message de
news: ...
> Todd H. wrote:
>
>> Rick Merrill <> writes:
>>
>>
>>>Yes, selectivly route. and Yes, see following.
>>>
>>>Let me clarify: I want to use a Windows XP PC with 2 NIC to act as a
>>>firewall in front of a 3rd party Linux FTP server. (Its log file is
>>>being bombarded with knob twisting attempts.)
>>>I want to allow access to the FTP server to a finite number of IP
>>>addresses (OR have a login ...)
>>
>>
>> Hrmm. The software like this that runs on windows runs on win2k
>> server and 2003 server and not their desktop OS's. I'm thinking of
>> Checkpoint FW-1 in this thought. Is there any reason yu have to use and
>> XP PC? Several other options
>> are far more suitable to the job without the XP'ness running about,
>> including $60 appliances like a Linksys wrt54g running 3rd party
>> firmware, or using that PC hardware as a Linux firewall.
>>
>
> Thanks for the tip.
>
> 'We go to firewall with the PC we have, not always with the PC we want.'