mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 07:38:57 +01:00
155 lines
5.7 KiB
XML
155 lines
5.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall and a Simple Bridge</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2004</year>
|
|
|
|
<year>2005</year>
|
|
|
|
<year>2006</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section id="Background">
|
|
<title>Background</title>
|
|
|
|
<para>Systems where Shorewall runs normally function as
|
|
<firstterm>routers</firstterm>. In the context of the Open System
|
|
Interconnect (OSI) reference model, a router operates at layer 3.
|
|
Shorewall may also be deployed on a GNU Linux System that acts as a
|
|
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
|
|
model (think of a bridge as an Ethernet switch).</para>
|
|
|
|
<para>Some differences between routers and bridges are:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Routers determine packet destination based on the destination IP
|
|
address while bridges route traffic based on the destination MAC
|
|
address in the Ethernet frame.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>As a consequence of the first difference, routers can be
|
|
connected to more than one IP network while a bridge may be part of
|
|
only a single network.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A router cannot forward broadcast packets while a bridge
|
|
can.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section id="Application">
|
|
<title>Application</title>
|
|
|
|
<para>There are cases where you want to create a bridge to join two or
|
|
more LAN segments and you don't need to restrict the traffic between those
|
|
segments. This is the environment that is described in this
|
|
article.</para>
|
|
|
|
<para>If you do need to restrict traffic through the bridge, please refer
|
|
to the <ulink url="bridge-Shorewall-perl.html">Shorewall Bridge/Firewall
|
|
documentation</ulink>. Also please refer to that documentation for
|
|
information about how to create a bridge.</para>
|
|
|
|
<para>The following diagram shows a firewall for two bridged LAN
|
|
segments.</para>
|
|
|
|
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle" />
|
|
|
|
<para>This is fundamentally the Two-interface Firewall described in the
|
|
<ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
|
|
bridge-specific changes are restricted to the
|
|
<filename>/etc/shorewall/interfaces</filename> file.</para>
|
|
|
|
<note>
|
|
<para>Older configurations that specify an interface name in the SOURCE
|
|
column of <filename>/etc/shorewall/masq</filename> will also need to
|
|
change that file.</para>
|
|
</note>
|
|
|
|
<para>This example illustrates the bridging of two Ethernet devices but
|
|
the types of the devices really isn't important. What is shown here would
|
|
apply equally to bridging an Ethernet device to an <ulink
|
|
url="OPENVPN.html">OpenVPN</ulink> tap device (e.g.,
|
|
<filename>tap0</filename>) or to a wireless device
|
|
(<filename>ath0</filename> or <filename>wlan0</filename>).</para>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 detect ...
|
|
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
|
role="bold">routeback</emphasis>,...</programlisting>
|
|
|
|
<para>So the key points here are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The <emphasis role="bold">loc</emphasis> interface is <filename
|
|
class="devicefile">br0</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Neither <filename class="devicefile">eth1</filename> nor
|
|
<filename class="devicefile">eth2</filename> have IP addresses and
|
|
neither are mentioned in the Shorewall configuration.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <emphasis role="bold">routeback</emphasis> option is
|
|
specified for <filename class="devicefile">br0</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The default gateway for hosts in the local segments will be
|
|
10.0.1.254 — the IP address of the bridge itself.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
|
|
should also specify the <emphasis role="bold">bridge</emphasis>
|
|
option:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
|
net eth0 detect ...
|
|
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
|
role="bold">routeback,bridge</emphasis>,...</programlisting></para>
|
|
|
|
<para>Your entry in <filename>/etc/shorewall/masq</filename> should be
|
|
unchanged:</para>
|
|
|
|
<programlisting>#INTERFACE SOURCE ADDRESS
|
|
eth0 10.0.1.0/24 ... # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
|
|
</section>
|
|
</article>
|