In my environment, the best kind of firewall is the bridge kind of firewall. Meaning: a transparent kind of firewall. Here’s how I generally set them up.
So, I don’t have control of the gateway routers. I have IP addresses all over the place in my little IP pool. For example I have one little server room with a 22.214.171.124 a 126.96.36.199 and a 188.8.131.52. What I want is a firewall complete with IDP to limit access to stuff in a centralized way. BTW, I also tend to have firewalls on every machine, I guess for the double layer of protection. Firewalls are sort of like condoms. Double layering doesn’t seem to help that much, but it couldn’t hurt. And either way, once you’re penetrated, you’re fucked.
To clarify, what I want is something completely invisible to the outside. As far as the outside is concerned, there is nothing there. In fact, this could be the case as far as the inside is concerned. However, you may want to give the bridge an IP address and let something through so you can ssh in to fix whatever problems.
Network —– Bridge ——switch —Internal Network of various IPs
The cool thing about a bridge is you can stick it anywhere and it won’t change how any of your other hosts are hooked up.
For this task, I chose everyone’s favorite os, Linux. I also chose a minimalist version of Ubuntu since I heart ubuntu. This is actually a pretty trivial thing to set up.
# apt-get install bridge-utils
Then you want to create a new bridge device and add your ethx to it. Your ethx will obviously probably be eth0, eth1, eth2 or whatever network devices you want on the bridge.
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ip link set br0 up
Now guess what. You’ve now turned your $300 machine into a $10 hub.
Next if you want to give your bridge an ip address and a route:
# ip addr add x.x.x.x/x brd + dev br0
# route add default gw x.x.x.x dev br0
Where x is your ip and your subnet and gateway.
I find as I’m writing this I’m just repeating what else is out there. Go and read http://www.linuxjournal.com/article/8172 and it will show you the way.
Now that you’ve got your bridge working you can filter traffic using ebtables (on the hardware level) and iptables (on the ip level) and snort and whatever. There are tons of examples of this online, so I won’t bore you here. Awesome.
Put all this in rc.local or whatever boot up script so that your system remembers everything and you’re golden! To all those people who say “just use smoothwall and don’t worry about iptables” in your face! smoothwall/ipcop/monowall are all pretty cool, but being a transparent bridge isn’t one of the things they are capable of out of the box. They are mostly meant to be gateways or whatever.