Paranoid Penguin - Building a Transparent Firewall with Linux, Part I

From Issue #196
August 2010

Oct 01, 2010 By Mick Bauer

Security

Yes, you still need a firewall. How about a transparent one?

Routing vs. Bridging Firewalls

Normally, a firewall acts like a router. It receives traffic from two or more network interfaces and makes decisions about whether and how to route that traffic. Any host that needs to send traffic through the firewall must either use the IP address of the firewall interface that faces it as its default gateway, or a router between that host and the firewall must be configured to use the firewall as a route to whatever networks are on the other side of the firewall.

Figure 2 shows a routing firewall. As you can see, each firewall interface has its own IP address that is valid on the network to which that interface connects, and that IP address serves as the route to the other side of the firewall. In this example, hosts in Network A have to know (or send packets to some router that knows) that 10.20.30.254 is the gateway to reach Network B. Hosts in Network B have to know (or speak to a router that knows) that 44.55.66.254 is the gateway to reach Network A.

Figure 2. A Standard (Routing) Firewall

One ramification of the “firewall as router” approach is that normally, if you have a big bunch of existing systems you want to divide into two security zones, one “trusted” and the other “non-trusted”, you'll probably need to re-IP-address the hosts in one or both zones (or re-mask the subnet they're on, which may not be possible) and insert a firewall configured as a gateway between those zones. In other words, inserting a routing firewall into an existing network usually means reconfiguring both the network and the systems connected to it.

But, what if you wanted to insert a firewall between two parts of the same network, without re-addressing anything? Is it possible to configure a firewall to act more like a bridge than a router?

Indeed, it is. And best of all, the firewall's rules will look and behave in much the same way as if it were a standard routing firewall! All the trickery is in the firewall's network configuration.

What Is Bridging, Exactly?

This month's column assumes you know something about networking. IP firewalls, whether standard/routing or transparent/bridging, are at least an intermediate-level topic, and you really can't expect to configure either kind unless you have a working understanding of how TCP/IP protocols work. But even if you do, you might be a bit rusty on the difference between bridging and routing. Here's a quick, simplified primer.

Routers operate at Layer 3, the IP layer. They evaluate network packets based on their IP headers. In contrast, bridges operate at Layer 2, the Data Link (most commonly Ethernet nowadays) layer. Bridges evaluate Ethernet headers. A “switch” is simply a bridge with lots of ports.

To “route” is to make decisions on what to do with a packet based on its destination IP address—specifically, to determine the most efficient “route” (series of forwarding routers) by which to deliver the packet to its destination. These decisions can be complicated. There may be many possible routes, and because individual “hops” between gateways in a given route may become congested or otherwise slow down, the “best” route for a stream of packets may change during the course of a single network transaction.

For this reason, routers use a combination of routing algorithms, routing tables and forwarding tables to compute routes “on the fly”. Note, however, that although firewalls act like routers, they seldom have to make nearly so complicated routing decisions as true routers typically do. Typically, a firewall uses a single gateway for all routes to “internal” networks and another for all other (“outside”) networks, where both gateways are actual routers.

Bridging, in contrast, is much simpler. A bridge, or switch, looks at each incoming Ethernet frame entering each bridge/switch port and determines its destination Ethernet address (also known as a MAC address). It then matches this against the entries in its local MAC table (which is simply a list of the MAC addresses of all devices currently attached to active ports) and delivers the frame to the corresponding local port.

For more complete discussions of how routers and bridges/switches work, Wikipedia is a good place to start.

Figure 3 shows a transparent (bridging) firewall. In this example, the firewall has been configured to treat both of its network interfaces as switch ports. Neither interface has an IP address bound to it! Instead, the virtual switch that they comprise has a shared IP address of 44.55.66.254. Although the firewall might be reachable by this IP address (actually there are good reasons for it not to be), none of the hosts in Zone A need to use that IP as a gateway in order to reach the hosts in Zone B, or vice versa. Just as with any other switch, the firewall will propagate packets automatically without needing to be explicitly routed through.

Figure 3. A Transparent (Bridging) Firewall

However, the firewall will propagate packets only after first matching them against its firewall rule set and determining whether it even should propagate them. If you want to evaluate packets based on Ethernet header attributes, you can do so using ebtables. However, in this series of articles on building your very own transparent Linux firewall, we'll use plain-old iptables to evaluate packets in the same way that routing firewalls do, using IP/TCP/UDP header information.

______________________

White Paper

More Resources

Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More


Making Linux and Android Get Along (It's Not as Hard as It Sounds)	May 16, 2013
Drupal Is a Framework: Why Everyone Needs to Understand This	May 15, 2013
Home, My Backup Data Center	May 13, 2013
Non-Linux FOSS: Seashore	May 10, 2013
Trying to Tame the Tablet	May 08, 2013
Dart: a New Web Programming Experience	May 07, 2013

Free Webinar: Linux Backup and Recovery

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Register now for this free webinar.