forked from extern/shorewall_code
026c30cfff
Signed-off-by: Tom Eastep <teastep@shorewall.net>
156 lines
5.6 KiB
XML
156 lines
5.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall and a Simple Bridge</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2004</year>
|
|
|
|
<year>2005</year>
|
|
|
|
<year>2006</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section id="Background">
|
|
<title>Background</title>
|
|
|
|
<para>Systems where Shorewall runs normally function as
|
|
<firstterm>routers</firstterm>. In the context of the Open System
|
|
Interconnect (OSI) reference model, a router operates at layer 3.
|
|
Shorewall may also be deployed on a GNU Linux System that acts as a
|
|
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
|
|
model (think of a bridge as an Ethernet switch).</para>
|
|
|
|
<para>Some differences between routers and bridges are:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Routers determine packet destination based on the destination IP
|
|
address while bridges route traffic based on the destination MAC
|
|
address in the Ethernet frame.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>As a consequence of the first difference, routers can be
|
|
connected to more than one IP network while a bridge may be part of
|
|
only a single network.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>A router cannot forward broadcast packets while a bridge
|
|
can.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section id="Application">
|
|
<title>Application</title>
|
|
|
|
<para>There are cases where you want to create a bridge to join two or
|
|
more LAN segments and you don't need to restrict the traffic between those
|
|
segments. This is the environment that is described in this
|
|
article.</para>
|
|
|
|
<para>If you do need to restrict traffic through the bridge, please refer
|
|
to the <ulink url="bridge-Shorewall-perl.html">Shorewall Bridge/Firewall
|
|
documentation</ulink>. Also please refer to that documentation for
|
|
information about how to create a bridge.</para>
|
|
|
|
<para>The following diagram shows a firewall for two bridged LAN
|
|
segments.</para>
|
|
|
|
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle"/>
|
|
|
|
<para>This is fundamentally the Two-interface Firewall described in the
|
|
<ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
|
|
bridge-specific changes are restricted to the
|
|
<filename>/etc/shorewall/interfaces</filename> file.</para>
|
|
|
|
<note>
|
|
<para>Older configurations that specify an interface name in the SOURCE
|
|
column of <filename>/etc/shorewall/masq</filename> will also need to
|
|
change that file.</para>
|
|
</note>
|
|
|
|
<para>This example illustrates the bridging of two Ethernet devices but
|
|
the types of the devices really isn't important. What is shown here would
|
|
apply equally to bridging an Ethernet device to an <ulink
|
|
url="OPENVPN.html">OpenVPN</ulink> tap device (e.g.,
|
|
<filename>tap0</filename>) or to a wireless device
|
|
(<filename>ath0</filename> or <filename>wlan0</filename>).</para>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
<programlisting>?FORMAT 2
|
|
#ZONE INTERFACE OPTIONS
|
|
net eth0 ...
|
|
loc <emphasis role="bold">br0</emphasis> <emphasis
|
|
role="bold">routeback,bridge</emphasis>,...</programlisting>
|
|
|
|
<para>So the key points here are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The <emphasis role="bold">loc</emphasis> interface is <filename
|
|
class="devicefile">br0</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Neither <filename class="devicefile">eth1</filename> nor
|
|
<filename class="devicefile">eth2</filename> have IP addresses and
|
|
neither are mentioned in the Shorewall configuration.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <emphasis role="bold">routeback</emphasis> and <emphasis
|
|
role="bold">bridge</emphasis> options is specified for <filename
|
|
class="devicefile">br0</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The default gateway for hosts in the local segments will be
|
|
10.0.1.254 — the IP address of the bridge itself.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Your entry in <filename>/etc/shorewall/masq</filename> should be
|
|
unchanged:</para>
|
|
|
|
<programlisting>#INTERFACE SOURCE ADDRESS
|
|
eth0 10.0.1.0/24 ... # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
|
|
|
|
<para>When running Shorewall 5.0.14 or later, the equivalent
|
|
<filename>/etc/shorewall/snat</filename> is:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO PORT
|
|
MASQUERADE 10.0.1.0/24 eth0</programlisting>
|
|
</section>
|
|
</article>
|