[ale] Firewall design

Christopher Fowler cfowler at outpostsentinel.com
Wed Jun 1 09:13:02 EDT 2005


On Wed, 2005-06-01 at 07:56, Stuffed Crust wrote:
> On Tue, May 31, 2005 at 10:19:44PM -0400, Christopher Fowler wrote:
> > What ever I do my plan is to create the firewall as a bridging firewall
> > with _no_ address.  The only access will be via serial console.  We'll
> > install a console management device at the remote site so I will have to
> > access it first remotely before I can connect to the console on the
> > firewall to config or make changes.
> 
> This limits its effectiveness somewhat, as you'll be forced to use 
> ebtables instead of iptables, which has a much smaller functionality 
> set.  This is because when bridging the IP traffic never actually hits 
> the interfaces, thus the standard INPUT/FORWARD/OUTPUT rules never 
> apply.  And NAT will certianly have to be handled by another machine; 
> one with actual IP addresses configured.
> 

You do not need many features.  In the header of the packet is source
and dest.  You simply have rules on that.  What other features would you
need?




More information about the Ale mailing list