Re: firewall bridge , Vlan ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le lun 09/06/2003 à 05:46, loong a écrit :
> is there anywhere install bridge firewall and install vlan
> http://www.candelatech.com/~greear/vlan.html

This works very well.
 
> so that my firewall can run like netscreen without using  hug or
> switch to my webserver.

You'll still have to use at leat one switch.
 
> currently is
> internet -- > eth0 firewall   eth1 -- >   hub ------> webserver 1
>                                                      ------> webserver
> 2
>  
> is that anywhere i install few network card in my firewall then
>  
> internet --->    eth0    firewall   eth1 ---->    webserver 1
>                                                      eth2 ----->  
> webserver 2
>                                                      eth3 -----> 
> webserver 3

Your physical setup will be like this :

	Internet -> eth0/Firewall/eth1 -> switch -> Web1
						 -> Web2

You can also have :

	Firewall/eth0 -> switch -> Internet
				-> Web1
				-> Web2

But I don't recommand this setup as it relies too much on switch
security features.

So, you connect eth1 to your switch. This switch must support VLAN and
802.1q frame tagging. On the switch, configure the port connected to
eth0 as a 802.1q port (called trunk on Cisco). Now, affect one VLAN to
Web1 port, and another one to Web2 port, etc... Eth0's port will carry
all affected VLANs (see you switch documentation).

Now, on your firewall, use vconfig to create virtual interfaces
associated to each VLAN you want to see through the 802.1q link.

Suppose Web1 is on VLAN1, Web2 on VLAN2 :

	vconfig add eth0 1
	vconfig add eth0 2

This will create vlan0001 and vlan0002 interfaces trhough which you'll
see respectively Web1's traffic and Web2's traffic.

See vconfig man page for further information.

Now, this solution is very scalable as you can add as many VLAN as you
want on your switch. You just have to add them to the 802.1q link and
create proper interface on the firewall. Then you configure your routing
and filtering between those vlan* interfaces just you way you're use to
between physical ones (eth*). Note that eth1 will see 802.1q tagged
frames.

But beware to the fact that this kind of network separation directly
depends on your switch security. If one is able to gain access to the
switch or find a way to bypass it, you loose everything relying on
VLANs. See :

	http://www.arp-sk.org/doc/bh-us-02-convrey-switches.pdf

-- 
Cédric Blancher  <blancher@xxxxxxxxxxxxxxxxxx>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux