Print
Close Window
From: www.itworld.com
Burned by a firewall
May 2, 2001 —
Saved by the bell. Or maybe that should be: failed by the bell. I had intended to write about the new firewall I started working on two weeks ago (see Resources for a link), but the deadline is here and I am still defenseless. There has to be an easier way than the paths I've been down. I've done tons of things wrong so far, but the real problem is that I don't seem to be able to figure out what I'm doing wrong now, and that keeps me from getting the firewall to work.
The goal seemed simple enough: install a firewall between my router and my LAN while preserving the ability to access my Web and mail servers, which would sit on the LAN protected by the firewall. I built a box. I stuck in two NICs. I grabbed the copy of Stormix Firewall that had been gathering dust, while uninvited guests began housekeeping on my server (see Resources for a link). Then I began a long journey, most often of the pattern "one step forward, two steps back." I have made some progress, but not enough to get me where I need to go. I sit here, my dweebs, munching on a slice of humble pie. Help me if you can.
Here is the topography:
ISP
|
Router
xxx.xxx.xxx.3
|
etho
xxx.xxx.xxx.4
Firewall
eth1
xxx.xxx.xxx.7
|
Hub
---------------------------------
| | |
xxx.xxx.xxx.5 xxx.xxx.xxx.6 xxx.xxx.xxx.?
Server Workstation Workstation
Installation of Storm Linux was problem-free except for one difficulty that I ran into last year: one of my NICs required an RTL8139 driver. Storm Linux, like Debian Potato when it first came out, recognized the card but didn't include the driver. Hey, no problem. I had been down this path before, so I simply downloaded newer drivers from the Stormix site and got the one I needed.
The very first thing I did wrong was forget the lesson I learned so many years ago about null modems. I can't remember all the times I've explained to newbies what happens when both ends of a direct connection are talking and listening on the same pins of a serial connection. A null modem reverses those connections and allows the pair to talk to each other as if a modem were in place. The folks on my local LUG mailing list enjoyed reminding me of that when I posted a plea for help. So I went shopping and got a CAT-5 crossover cable that would properly reverse the connections for the direct Ethernet connection between the router and the firewall.
I believed that would put an end to all of my problems. Little did I know what lay ahead. I was able to talk to the Ethernet from the firewall machine, but no matter how I tuned and configured things, I could not get to the Internet from the LAN, or vice versa. I kept returning to a troubling statement in the Storm Firewall User Guide: "You will not be able to bridge two networks together if they share the same range of internal addresses." I wondered if that applied to me, since the router and the computers were all part of the same network address space. All the example scenarios in the User Guide were based on using IP masquerading, meaning the machines on the LAN would be invisible to the outside world. A query to Stormix support went unanswered. I'm afraid the rumors about Stormix closing up shop have finally proved true.
I turned to the Internet for help, posting a query in comp.os.linux.networking, checking the HOWTOs, and looking for relevant articles on the subject. All signs pointed toward using a bridge so that the two NICs on the firewall could pass traffic between them. All signs, that is, with the exception of a response to my query in the newsgroup, which told me that I didn't need a bridge, only a better configuration for my routing.
Putting a Red Hat on
After trying -- and failing -- to resolve the problem by following the suggested routing configuration, I jumped completely into the notion that I needed a bridge. I found an article by Henry Stilmack, published in Linux Journal (see Resources for a link), that described setting up a similar firewall by creating such a bridge. Even better, the story was based on a distribution I had available, Red Hat 7.0. Off came Stormix and the Storm Firewall. On went a default Red Hat workstation installation.
I added the kernel source code to the packages I installed, and then grabbed a copy of the bridge filter patch. Following most of the instructions (I didn't create a second directory for the kernel source code) from the article, I applied the patch. Then I made another error. I forgot the GCC compiler problems with Red Hat 7.0. So after doing make config to set the parameters for building the new kernel, the build failed. If I had followed the link to the Red Hat site mentioned in the article, I could have averted that miscue. Once I had identified the problem, it only took a second to install KGCC, which comes on CD 1 of the Red Hat distribution for just that purpose. Then I was off and running again. I should mention that before using the CLI configuration tool, I tried both make xconfig and make menuconfig, but neither provided the granularity necessary to set the parameters I needed.
Finally the new kernel was ready. I modified /etc/lilo.conf to reflect the new default kernel, ran lilo, and rebooted. Then came the first test. Would ifconfig -a show whether or not my newly created bridge existed? No. It wouldn't. It seems I overlooked one of the CONFIG parameters specified in the article. Back into kernel configuration, build, and install mode. I tried ifconfig -a again. Hooray! The bridge was there!
Per the article, the last two steps were installing the bridge configuration program and creating the IPCHAINS rules. I downloaded brcfg and put the binary in /usr/bin, then fired it up using the commands suggested by the article and made the necessary adjustments to use eth0/eth1 instead of eth1/eth2. Although I could still get to the Internet from the firewall, no traffic was passing over the bridge. I backed up and compiled <brcfg> from the source code in the download, then tried that. But the result was the same. No go.
Perhaps the problem is my routing setup. Here is the output from a route command:
Destination Gateway Genmask Flags Metric Ref Use Iface xxx.xxx.xxx.2 * 255.255.255.240 U 0 0 0 eth0 xxx.xxx.xxx.2 * 255.255.255.240 U 0 0 0 eth1 127.0.0.1 * 255.0.0.0 U 0 0 0 lo default xxx.xxx.xxx.3 0.0.0.0 UG 0 0 0 eth0
Perhaps the problem was that the network routing entry (xxx.xxx.xxx.2) showed up on both NICs. The post in response to my query on comp.os.linux.networking suggested that it was, but I haven't found the correct syntax to delete it. Or perhaps I need to add direct routes for the hosts inside the LAN.
At this point I am not sure of anything. But I have several questions burning holes in my router. First, am I correct in thinking I need the bridge filter in order to build the firewall? Second, what would the correct routing table for my configuration look like? Lastly, if it involves getting rid of the net route for eth0, what is the format of the route command to do that?
The sad part is not knowing whether I am any closer to my goal than I was when I began, or whether I have simply wandered further astray. Any help, by email or in the forum, will be greatly appreciated. Perhaps it will earn you an autographed copy of my upcoming sure-to-be bestseller titled It's a Firewall, Dummy. In any case, I'll revisit this topic when MY_NBR_CLUES > 0.
Discuss this article in Joe Barr's
/webx?14@@.ee6b663">Version Control discussion in ITworld.com's
Linux Forum.
"On Getting Cracked and Recovering with NMAP," Joe Barr (LinuxWorld.com, April 2001) -- Why Joe Barr needed a new firewall in the first place: http://www.itworld.com/Sec/2202/LWD010404vcontrol1/
"Building a Bridging Firewall with Linux," Heny Stilmack (Linux Journal, March 14, 2001): http://www2.linuxjournal.com/articles/misc/0041.html
Bridge Filter Patch: http://ac2i.tzo.com/bridge_filter/
HOWTO, Linux Bridge+Firewall: http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html
HOWTO, Linux Firewall and Proxy Server: http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
HOWTO, Linux IPChains: http://www.linuxdoc.org/HOWTO/IPChains-HOWTO.html
HOWTO, Linux Networking Overview: http://www.linuxdoc.org/HOWTO/Networking-Overview-HOWTO.html
Storm Firewall: http://www.stormix.com/products/firewall/index_html
LinuxWorld.com