I put a bridging firewall together last winter (with some help) and have it in production in front of a couple windows web and mail servers for going on 6 months now. I used Fedora C1 with 2.4.22 kernel and 0.9.6 bridge-utils. The bridge has solved a lot of security headaches. I use a modified startup script written by David Whitmarsh that has worked really well. http://www.sparkle-cc.co.uk/firewall/rc.firewall.sh.txt Now that Fedora C2 has the 2.6 kernel (2.6.5-1.358) I figured I'd try it on a test machine. I loaded the 0.9.6 bridge-utils rpm that came with it, for simplicity, and double checked the networking files to make sure eth0 and eth1 were set up correctly without IPs. I then ran these commands in bash and the bridge came up perfectly. ------------------------------------- brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig br0 192.168.1.14 up --------------------------------------- I could see across the bridge from both sides, and thought this is too easy. Then I dropped the startup script I've been using in /etc/rc.d and started running into problems. I found out modules are handled a little differently now (modutils to module-init-tools) so the iptables has to be handled a little differently. But what's got me is the errors popping up when trying to start the bridge from this script I'm testing with (syntax OK) -------------------------------------- #!/bin/sh BR_IP="192.168.1.14" BR_IFACE=br0 INET_IFACE="eth1" LAN_IFACE="eth0" # brctl addbr $BR_IFACE brctl addif $BR_IFACE $INET_IFACE brctl addif $BR_IFACE $LAN_IFACE ifconfig $INET_IFACE 0.0.0.0 ifconfig $LAN_IFACE 0.0.0.0 ifconfig $BR_IFACE up -------------------------------------- which works fine with the 2.4 kernel but errors out with -------------------------------------- [root@test root]# sh /etc/rc.d/rc.bridge SIOCSIFADDR: No such device : unknown interface: No such device SIOCSIFADDR: No such device : unknown interface: No such device doesn't exist! doesn't exist! : Host name lookup failure ifconfig: `--help' gives usage information. -------------------------------------- on this test box. I believe this is a similar problem to the one noted a few days ago by Harald Küthe http://lists.osdl.org/pipermail/bridge/2004-June/000382.html (although I'm using the 0.9.6 bridge-utils) regarding where SIOCGIFCONF only lists interfaces that have IP addresses. I tried adding IPADDR=0.0.0.0 to ifcfg-eth0 and ifcfg-eth1 but it had no effect. Fedora uses glibc so the patch for uClibc wasn't useful. What I don't understand is how the same commands can be typed into a shell, but won't work in the script? Pardon my ignorance, as I'm just learning Linux and trying to muddle my way through, but any pointers would be appreciated. I'd also appreciate any suggestions on how to handle the iptables rules in a startup script. Thank you, Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.osdl.org/pipermail/bridge/attachments/20040608/13c060d8/attachment.htm
