Ok, I need a little help. Banging my head against the wall isn't getting the job done anymore ;-) 1) I'm running Redhat 7.3 (kernel 2.4.18). Do you know if this needs to be patched? 2) I downloaded the script from http://www.sparkle-cc.co.uk/firewall/rc.firewall.sh.txt. Ran it, didn't work. I tried to run just a simple bridge (no firewall) with # ifdown eth0 # ifdown eth1 # brctl addbr br0 # brctl addif br0 eth1 # brctl addif br0 eth0 This should be sufficient to test that the bridging part is working, correct? Under this configuration I can't ping the Cisco. I have verified that both NICs work, and that the cabling between the NIC and the Cisco is correct. So anyway, I would appreciate any tips you could pass along. Thanks for the great help, --Nathan Davis BN wrote: > I have setup the transparent (bridging) firewalll in linux before. > If you need help let me know I and I'll check my notes. > The really cool thing is that you can also set up queueing and bandwidth > shaping transparantly. > There is a patch the hooks IP Tables/route back into the bridging code. > So, if you don't want any one computer hogging bandwidth it might be > worthwhile. > > Simeon Johnston wrote: > > > Nathan Davis wrote: > > > >> After thinking about this for awhile, I was wonding if I really need to > >> use two *real* ip addresses on the firewall machine. Or even if there's > >> a way to set up a default route to an interface with no ip address > >> assigned. Another option might be to have the cisco (and possibly the > >> firewall too) obtain an ip address via dhcp (I don't know how the other > >> end might take this, though), or assign the interface connecting the > >> firewall to the Cisco a "fake" address. > >> > > > > If you want an interface w/ no IP I'd suggest getting the Linux > > bridging stuff. > > The idea would be to have 3 NIC's actually. One external (Router -> > > FW NIC), One for internal NAT'd addresses (any traffic can be > > forwarded through the firewall to internal hosts), the other would be > > a bridged interface to a DMZ (allows you to filter ports but doesn't > > need an IP). > > There are other ways to set this up also but this is the only way I > > can think of at the moment to get a firewall without using one of your > > addresses. Unless of course you just forward all your traffic through > > the firewall. If you want a dedicated address for a specific server > > instead of all your DNS entries going ot the firewall, the firewall > > can be multi-homed (multiple addresses/NIC). > > > > I could probably think of a few more ways to get it done but couldn't > > tell you the "best" way without a bit more info. > > > > sim > > > > _______________________________________________ > > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, > > Minnesota > > http://www.mn-linux.org > > tclug-list at mn-linux.org > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > _______________________________________________ > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list