Asymmetrically routing through transparent fw (bridge)

Hello folks!

I've got a more or less complicated problem here and my own knowledge
about iptables doesn't help me anymore. Please give me some light!

The problem I am facing with is, that I would like to default-route
packages from one local network to a [0]transparent firewall (its bridge
interface) so that this box routes packages to either a [1]ciso router
which further connects to off-site networks and the internet or my
bridge routes these packages to other on-site routers. I would like to
do it this way, because there are many different dumb clients in that
network and I would like to avoid to configure additional network routes
into every single client. This way my bridge "router" can decide
centrally where to go -- either to the uplink or to other on-site routers.

This setup means, that packages going from my network mentioned above to
the internet will go to my bridge router's br0 interface, because their
default gateway point to this interface. The transparent
firewall/bridge has itself a different default gateway pointing to the
cisco router and the package will find its way... so good so far. But
packages going the other way round will arrive from the internet (or
other off-site networks) at the cisco router and then they will be sent
from the cisco router directly to the client i.e. transparently through
the bridge.

Summarized: I have a more or less asymmetric routing, packages going to
bridge, but coming from cisco, though physically going both through my
bridge.

This asymmetry gives me two questions I can't answer by myself:

1.) Does it work like I've explained here, or am I talking rubbish? :-)

2.) How can I handle connections going through this transparent
firewall? Am I able to [2]stateful inspect connections [0]easily here!?


Thanks a lot in advance for any advices!

Wollie

Notes:

[0] I would like to use a Debian box with Linux 2.6.xy, and fwbuilder
2.0.6 because I am very familar with Debian and I've to coach local
admins with firewalling and I would like to abide by fwbuilder (wow,
experimental English... did you get me?)
[1] It's on the same logical network, hence the bridging. It's not our
router, I can't change any configs.
[2] This is the main reason why I want to place a bridge/transparent fw
in front of the cisco router: I want to firewall this connection with
one of my own machines.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCgOR/m4EW9pCk3sARAhSTAKCFBD8TSmSRfSAYS9/BZllxMFQsUACdGdgs
/DUSEzSiumqoFj90EwvyKAk=
=XNSx
-----END PGP SIGNATURE-----

Wolfgang Kohnen wrote:
> Hello folks!
>
> I've got a more or less complicated problem here and my own knowledge
> about iptables doesn't help me anymore. Please give me some light!
>
> The problem I am facing with is, that I would like to default-route
> packages from one local network to a [0]transparent firewall (its bridge
> interface) so that this box routes packages to either a [1]ciso router
> which further connects to off-site networks and the internet or my
> bridge routes these packages to other on-site routers. I would like to
> do it this way, because there are many different dumb clients in that
> network and I would like to avoid to configure additional network routes
> into every single client. This way my bridge "router" can decide
> centrally where to go -- either to the uplink or to other on-site routers.
>
> This setup means, that packages going from my network mentioned above to
> the internet will go to my bridge router's br0 interface, because their
> default gateway point to this interface. The transparent
> firewall/bridge has itself a different default gateway pointing to the
> cisco router and the package will find its way... so good so far. But
> packages going the other way round will arrive from the internet (or
> other off-site networks) at the cisco router and then they will be sent
> from the cisco router directly to the client i.e. transparently through
> the bridge.
>
> Summarized: I have a more or less asymmetric routing, packages going to
> bridge, but coming from cisco, though physically going both through my
> bridge.

I think this doesn't work
If i understand what you want to do


Are you using a switch router or pure router
and where you want to put your bridging firewall

if you want to do something like this it's doesn't work

|------------|
---------| Cisco |
|------------|
| | | | |
|- ---| Workstations
| FWB |
|-----|
could you explain with ascii art what you need


>
> This asymmetry gives me two questions I can't answer by myself:
>
> 1.) Does it work like I've explained here, or am I talking rubbish? :-)
>
> 2.) How can I handle connections going through this transparent
> firewall? Am I able to [2]stateful inspect connections [0]easily here!?
>
>
> Thanks a lot in advance for any advices!
>
> Wollie
>
> Notes:
>
> [0] I would like to use a Debian box with Linux 2.6.xy, and fwbuilder
> 2.0.6 because I am very familar with Debian and I've to coach local
> admins with firewalling and I would like to abide by fwbuilder (wow,
> experimental English... did you get me?)
> [1] It's on the same logical network, hence the bridging. It's not our
> router, I can't change any configs.
> [2] This is the main reason why I want to place a bridge/transparent fw
> in front of the cisco router: I want to firewall this connection with
> one of my own machines.
>

--
Weill Philippe - Administrateur Systeme et Reseaux
Devil-Linux distribution for firewall and security
http://www.devil-linux.org

Philippe WEILL schrieb:

> if you want to do something like this it's doesn't work
>
> |------------|
> ---------| Cisco |
> |------------|
> | | | | |
> |- ---| Workstations
> | FWB |
> |-----|
> could you explain with ascii art what you need


It's more like this:

-------
|cisco|-----> metropolitan area net
-------
| ----------------
| (----------------------------| other switch |
| | ----------------
--------- ------ ---------- |||||||| |
| FWB |------> | FW |------| switch | third network
--------- ------ ---------- |
| |||||| |
| |||||| ------
| second network | FW |
| ------
----------
| switch |
----------
||||||
||||||
first network

The interesting part is on the left column: the cisco router, the
bridging firewall (FWB) and the connected "first network". What I need
is, that the first network has a default gateway different to the second
and third network (which go to a different off-site uplink). But I want
to route package between these three networks. Cisco's IP is
10.121.64.1 and I would like to give the IP 10.121.64.15 (same logical
network, hence the bridging firewall) and default gateway 10.121.64.1 to
the FWB and then give a default gateway of 10.121.64.15 to the clients
in the first network.

Maybe it was misleading, that I wrote:

>> But
>> packages going the other way round will arrive from the internet (or
>> other off-site networks) at the cisco router and then they will be sent
>> from the cisco router directly to the client i.e. transparently through
>> the bridge.

The FWB is between the first network and the cisco router, of course.
If I didn't miss something important, the packages will all pass the FWB
from all directions, from cisco to first network, from first network to
cisco and to/from second network to the first network.

But there is still a asymmetry on the FWB: Cisco thinks it sends to the
network directly and it passes the FWB and the client in that network
think the FWB is a router and the Cisco doesn't exist. My question is
theoretical "How does this asymmetry appear at the FWB? (routing table/
INPUT / FORWAD / OUTPUT)" or my question is pragmatical:

>> 2.) How can I handle connections going through this transparent
>> firewall? Am I able to [2]stateful inspect connections [0]easily here!?

I have no clue. Maybe the Linux can't do this at all, or there is just
no problem, or... I don't know?

Wolfgang Kohnen wrote:
> Philippe WEILL schrieb:
>
>
>>if you want to do something like this it's doesn't work
>>
>> |------------|
>>---------| Cisco |
>> |------------|
>> | | | | |
>> |- ---| Workstations
>> | FWB |
>> |-----|
>>could you explain with ascii art what you need
>
>
>
> It's more like this:
>
> -------
> |cisco|-----> metropolitan area net
> -------
> | ----------------
> | (----------------------------| other switch |
> | | ----------------
> --------- ------ ---------- |||||||| |
> | FWB |------> | FW |------| switch | third network
> --------- ------ ---------- |
> | |||||| |
> | |||||| ------
> | second network | FW |
> | ------
> ----------
> | switch |
> ----------
> ||||||
> ||||||
> first network


OK it's more clear and this should work without problem
>
> The interesting part is on the left column: the cisco router, the
> bridging firewall (FWB) and the connected "first network". What I need
> is, that the first network has a default gateway different to the second
> and third network (which go to a different off-site uplink). But I want
> to route package between these three networks. Cisco's IP is
> 10.121.64.1 and I would like to give the IP 10.121.64.15 (same logical
> network, hence the bridging firewall) and default gateway 10.121.64.1 to
> the FWB and then give a default gateway of 10.121.64.15 to the clients
> in the first network.
>
> Maybe it was misleading, that I wrote:
>
>
>>>But
>>>packages going the other way round will arrive from the internet (or
>>>other off-site networks) at the cisco router and then they will be sent
>>>from the cisco router directly to the client i.e. transparently through
>>>the bridge.
>
>
> The FWB is between the first network and the cisco router, of course.
> If I didn't miss something important, the packages will all pass the FWB
> from all directions, from cisco to first network, from first network to
> cisco and to/from second network to the first network.
>
> But there is still a asymmetry on the FWB: Cisco thinks it sends to the
> network directly and it passes the FWB and the client in that network
> think the FWB is a router and the Cisco doesn't exist. My question is
> theoretical "How does this asymmetry appear at the FWB? (routing table/
> INPUT / FORWAD / OUTPUT)" or my question is pragmatical:
>
>
>>>2.) How can I handle connections going through this transparent
>>>firewall? Am I able to [2]stateful inspect connections [0]easily here!?

Remember that Bridging Firewall is a Switch ( Layer 2 ) with Layer 3+ Filter
he doesn't do routing ( Ip address on BR-FW is just used for administration and
eventually for reject target in iptables but you could work without an ip
address on)
your filters are all on FORWARD CHAIN and you can't do nat with BRFW
because no PREROUTING or POSTROUTING
We use two bridging firewall in our network

a good distrib for that
http://www.devil-linux.org
iptables rules could be generated by FWBUILDER ( from another host )

--
Weill Philippe - Administrateur Systeme et Reseaux

Wolfgang Kohnen wrote:
> Philippe WEILL schrieb:
>
> > if you want to do something like this it's doesn't work
> >
> > |------------|
> > ---------| Cisco |
> > |------------|
> > | | | | |
> > |- ---| Workstations
> > | FWB |
> > |-----|
> > could you explain with ascii art what you need
>
>
> It's more like this:
>
> -------
> |cisco|-----> metropolitan area net
> -------
> | ----------------
> | (----------------------------| other switch |
> | | ----------------
> --------- ------ ---------- |||||||| |
> | FWB |------> | FW |------| switch | third network
> --------- ------ ---------- |
> | |||||| |
> | |||||| ------
> | second network | FW |
> | ------
> ----------
> | switch |
> ----------
> ||||||
> ||||||
> first network
>
> The interesting part is on the left column: the cisco router, the
> bridging firewall (FWB) and the connected "first network". What I
need
> is, that the first network has a default gateway different to the
second
> and third network (which go to a different off-site uplink). But I
want
> to route package between these three networks. Cisco's IP is
> 10.121.64.1 and I would like to give the IP 10.121.64.15 (same
logical
> network, hence the bridging firewall) and default gateway 10.121.64.1
to
> the FWB and then give a default gateway of 10.121.64.15 to the
clients
> in the first network.

I must be missing something -- not the first time

If FWB is to _bridge_ network-1 to the Cisco router, then the Cisco
would be the default GW. Why would you want FWB to be the default GW
for network-1?

If you need _routing_, what requirements do you have that would make
network-1 part of the same network as the Cisco? Why not just put them
on a separate subnet? Is this not possible/desired? Have you
considered proxy arp?

> Maybe it was misleading, that I wrote:
>
> >> But
> >> packages going the other way round will arrive from the internet
(or
> >> other off-site networks) at the cisco router and then they will be
sent
> >> from the cisco router directly to the client i.e. transparently
through
> >> the bridge.
>
> The FWB is between the first network and the cisco router, of course.

> If I didn't miss something important, the packages will all pass the
FWB
> from all directions, from cisco to first network, from first network
to
> cisco and to/from second network to the first network.

Bridge "devices" are virtual and you add interfaces (nics) to a single
bridge device to participate in the bridged net segment. So you can
bridge from network-1 to Cisco while routing from network-2,3. If I
understand your layout, you can't bridge to FW because it is _routing_
to network-2 and network-3 (through switches). If it is to bridge to
them, then all segments are on the same subnet.

> But there is still a asymmetry on the FWB: Cisco thinks it sends to
the
> network directly and it passes the FWB and the client in that network
> think the FWB is a router and the Cisco doesn't exist. My question
is
> theoretical "How does this asymmetry appear at the FWB? (routing
table/
> INPUT / FORWAD / OUTPUT)" or my question is pragmatical:
>
> >> 2.) How can I handle connections going through this transparent
> >> firewall? Am I able to [2]stateful inspect connections [0]easily
here!?
>
> I have no clue. Maybe the Linux can't do this at all, or there is
just
> no problem, or... I don't know?

It is not clear what segments/subnets/networks you want to bridge and
which you want to route.

Linux can do just about anything with the bridging code now built into
the 2.6 kernels.

However, I don't know that there is any (useful?) way to have it
_bridge_ in one direction, while _routing_ in another direction. Not
saying it's not possible (or if it would have any relevance for your
design), just can't imagine why you would do it.

Now Linux _can_ treat frames/packets arriving on an interface
differently (routed vs. bridged) in accordance with your configuration.
This is sometimes called brouting (cute, huh?).

Anyway, you might want to look at this and see if it helps:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html

Also, your ascii art would be much better if we knew which nics are
bridging and which are routing and which one(s) you would like to
broute. I _think_ I understand what you may be wanting, but not very
confident

hth,
prg
email above disabled

Philippe WEILL schrieb:

>> It's more like this:
>>
>> -------
>> |cisco|-----> metropolitan area net
>> -------
>> | ----------------
>> | (----------------------------| other switch |
>> | | ----------------
>> --------- ------ ---------- |||||||| |
>> | FWB |------> | FW |------| switch | third network
>> --------- ------ ---------- |
>> | |||||| |
>> | |||||| ------
>> | second network | FW |
>> | ------
>> ----------
>> | switch |
>> ----------
>> ||||||
>> ||||||
>> first network
>
>
>
> OK it's more clear and this should work without problem

Fine... :-)

> Remember that Bridging Firewall is a Switch ( Layer 2 ) with Layer 3+
Filter

Hmm, where is my OSI--Knowledge... hmm, maybe I didn't ever learn it.
Layer 2 is where MAC and ARP are living and Layer 3 is IP, isn't it? Or
no... layer 2 is mac, layer 3 is arp and layer 4 is ip? However... :-)

> he doesn't do routing ( Ip address on BR-FW is just used for
administration and eventually for reject target in iptables but you
could work without an ip address on)
> your filters are all on FORWARD CHAIN and you can't do nat with BRFW
> because no PREROUTING or POSTROUTING

I don't need NAT here, that happens somewhere else. And that means, I
can't make anti-spoofing rules here? Let me show in detail what I wanted
to do on that FWB -- maybe you could spot me to the point where I'll
trip over?

The FWB is called voyager (my customer's choice, not my fault, but maybe
you like star trek?) and has three interfaces. eth0, eth1 join together
and make br0 and there is eth2 which connects to the rest of our site:

voyager:
eth0/eth1-> br0 (10.121.64.15)
eth2 (172.16.0.10) (just a transit net between two routers)

cisco:
10.121.64.1

and the other FW is called "enterprise" (there is another one called
"defiant" to continue the row...):

enterprise:
eth2 (172.16.0.15)
eth1 (192.168.64.15)
eth0 (195.x.y.16) (dmz)

So, on voyager I'll have to do:

route add -net 192.168.64.0 netmask 255.255.255.0 gw 172.16.0.15
route add -net 195.x.y.0 netmask 255.255.255.0 gw 172.16.0.15

The clients on the 10.121.64.0 net will get the default gw 10.121.64.15
which is voyager's br0 IP and will be forwarded from there to the Cisco,
'cause voyager has itself the default gw of 10.121.64.1. Am I tripping
already? This is where your "doesn't do routing" argument comes in? Or
does everything what crosses this FWB appear perfectly in FORWARD and I
can do with the packages, whatever I would like to do (drop or permit
would suffice)?

> a good distrib for that
> http://www.devil-linux.org

Didn't hear about that; I am using a vanilla woody with some packages
from backports.org.

> iptables rules could be generated by FWBUILDER ( from another host )

Thanks a lot!

Wollie