聯(lián)合天文學中心在夏威夷島的Manua Kea的14,000英尺高的山頂上擁有兩個天文望遠鏡，還在Hilo市有自己的辦公室及其他設(shè)施，該組織是是通過夏威夷大學連接到Internet上的，夏威夷大學在自己的B類IP地址范圍內(nèi)給天文中心分配了三個子網(wǎng)。以前天文中心的網(wǎng)絡(luò)安全性是由出口路由器的ACL(訪問控制列表)連同Soloris或Linux系統(tǒng)的主機訪問控制(tcpwrappers)來實現(xiàn)的。最近天文中心的一個主要英國資助基金會在一次審核后強烈推薦安裝防火墻來增強網(wǎng)絡(luò)的安全性。在對幾種商業(yè)和免費的防火墻產(chǎn)品進行調(diào)研以后，發(fā)現(xiàn)它們都需要對內(nèi)部網(wǎng)絡(luò)的三個不同子網(wǎng)地址都重新進行分配，分配為192.168的內(nèi)部地址。內(nèi)部網(wǎng)絡(luò)的在三個子網(wǎng)上共有超過200個節(jié)點，某些嵌入式微處理器系統(tǒng)甚至需要重新燒制EEPROM以實現(xiàn)IP變換，這是一個非常麻煩和龐雜的任務(wù)。因此就開始尋找透明防火墻解決方案，實現(xiàn)即能保持原有的地址分配，又能實現(xiàn)對內(nèi)部網(wǎng)絡(luò)的防護。

Linux 2.2以上版本都支持以太網(wǎng)橋接方式。一個網(wǎng)橋的一個接口接收到數(shù)據(jù)報以后，通過檢查目的MAC地址以后被轉(zhuǎn)發(fā)到另外一個接口上，而不去檢查源或目的IP地址。一個名為AC2I的法國公司發(fā)布了一個內(nèi)核補丁實現(xiàn)在網(wǎng)橋化的接口上使用ipchains進行數(shù)據(jù)報過濾。這種解決方案能實現(xiàn)透明的防火墻，同時保證對內(nèi)部網(wǎng)絡(luò)提供上層的保護和訪問控制。下面我們就討論如何架設(shè)一個網(wǎng)橋式防火墻。

硬件配置

為了實現(xiàn)高效的防火墻和網(wǎng)絡(luò)檢測，系統(tǒng)CPU必須足夠的強大和快速。該系統(tǒng)架設(shè)在一臺擁有256M內(nèi)存和500MHz的賽揚CPU系統(tǒng)之上。測試顯示橋能滿足一個10M以太網(wǎng)的速度要求，而不會出現(xiàn)丟包現(xiàn)象。系統(tǒng)需要三塊網(wǎng)卡，其中兩塊網(wǎng)卡支持網(wǎng)橋的實現(xiàn)，另外一塊用來實現(xiàn)對防火墻的管理。

磁盤容量并不是很重要，但是所有的log信息應(yīng)該被保存下來。若希望維護某些本地logging(用于某些配置和檢測工具)，則需要確保擁有足夠的免費空間－防火墻和入侵檢測記錄往往非常龐大。

安裝Linux

下面的討論都基于Linux2.2.16(redhat7.0)版本內(nèi)核，若使用2.4內(nèi)核，iptables將會替代ipchains實現(xiàn)內(nèi)核防火墻。

首先進行標準的Linux安裝，但是基本上不要選擇任何應(yīng)用軟件包，甚至包括xinet/inetd，因為在該系統(tǒng)上不需要運行任何服務(wù)。不要安裝編譯/開發(fā)工具，因為若系統(tǒng)被攻破則入侵者就不那么容易編譯任何程序。但是需要安裝Perl(某些報告工具是需要的)和OpenSSH(用于遠程管理)。確保安裝ipchains軟件包－這對于就防火墻設(shè)置是必須的。一個web瀏覽器也許會很有用處。若你僅僅接收來自內(nèi)部網(wǎng)絡(luò)的時間更新那么安裝NTP則不會有多大壞處。你可以選擇安裝某些X11應(yīng)用，tcpwrapper及某些網(wǎng)絡(luò)監(jiān)控包(whois,finger,tcpdump,traceroute,nc等等)。創(chuàng)建一個非root賬號，使用該賬號登錄系統(tǒng)。

安裝時，僅僅配置一個主以太接口－該接口將是被保護網(wǎng)絡(luò)的一個節(jié)點－為其配置一個固定的網(wǎng)絡(luò)地址，此時應(yīng)該將其連接到一個空的HUB上，在進行安全設(shè)置以后再將其連接到網(wǎng)絡(luò)中。當系統(tǒng)安裝完畢并重新啟動時，在lilo引導系統(tǒng)時鍵入linux single以單用戶模式引導進入系統(tǒng)，編輯/etc/hosts.allow來只允許管理機通過SSH來連接進入系統(tǒng)，然后重新啟動按照正常模式引導進入系統(tǒng)。然后再將主以太接口連接到內(nèi)部網(wǎng)絡(luò)中。

創(chuàng)建支持網(wǎng)橋方式的內(nèi)核

按照基本的內(nèi)核編譯步驟進行，只不過需要關(guān)閉大多數(shù)的選項開關(guān)，而僅僅打開一些必須的內(nèi)核編譯開關(guān)。

進入到/usr/src目錄下，拷貝內(nèi)核源代碼到一個新創(chuàng)建的linux-fw目錄下：

# cd /usr/src;mkdir linux-fw;cp -r linux-2.2.16 ./linux-fw
# rm linux;ln -s ./linux-fw linux

對linux源代碼打linux_brfw2補丁，該補丁為ipchains添加了一個名為bridgein的缺省規(guī)則鏈。該鏈將被用來存放網(wǎng)橋式防火墻規(guī)則，但是該規(guī)則鏈中的規(guī)則只能使用ACCEPT或DENY目標，使用REJECT及MASQ是沒有意義的�？梢詮奶幍玫皆撗a丁。

# patch -p0
進入/usr/src/linux目錄，配置內(nèi)核(這里假設(shè)你已經(jīng)有編譯內(nèi)核的經(jīng)驗)，和網(wǎng)橋式防火墻相關(guān)的配置選項開關(guān)為：

CONFIG_MODVERSIONS=N
CONFIG_FIREWALL=Y
CONFIG_FILTER=Y
CONFIG_IP_FIREWALL=Y
CONFIG_IP_FIREWALL_NETLINK=Y
CONFIG_IP_ROUTE_FWMARK=Y
CONFIG_BRIDGE=Y

然后編譯內(nèi)核：

# make dep;make clean;make bzImage;make install

使用新生成的內(nèi)核啟動系統(tǒng)。

設(shè)置網(wǎng)橋

登錄進入防火墻系統(tǒng)，假設(shè)是使用eth0作為管理接口，ifconfig －a將顯示系統(tǒng)接口情況：

brg0 Link encap:Ethernet HWaddr FE:FD:04:E0:13:B5
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

eth0 Link encap:Ethernet HWaddr 00:90:27:B3:17:5C
inet addr:NNN.NNN.NNN.253 Bcast:NNN.NNN.NNN.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2242346 errors:0 dropped:0 overruns:0 frame:0
TX packets:3616430 errors:0 dropped:0 overruns:0 carrier:0
collisions:589902 txqueuelen:100
Interrupt:9 Base address:0xde80

eth1 Link encap:Ethernet HWaddr 00:01:02:CD:55:38
BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:65714 errors:0 dropped:0 overruns:0 frame:0
TX packets:1832954 errors:0 dropped:0 overruns:0 carrier:1
collisions:500 txqueuelen:100
Interrupt:10 Base address:0xdc00

eth2 Link encap:Ethernet HWaddr 00:01:02:C1:14:F1
BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2011596 errors:0 dropped:0 overruns:0 frame:0
TX packets:238126 errors:0 dropped:0 overruns:0 carrier:2
collisions:666 txqueuelen:100
Interrupt:11 Base address:0xd880

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:1676447 errors:0 dropped:0 overruns:0 frame:0
TX packets:1676447 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

為了使網(wǎng)橋工作，需要安裝brcfg應(yīng)用。可以從Matthew Grant的linux路由器項目地址得到源代碼。編譯生成二進制可執(zhí)行程序，并將其拷貝到/usr/sbin/brcfg下，然后執(zhí)行下面的命令來使網(wǎng)橋啟動運行：

# ifconfig eth1 promisc up
# ifconfig eth2 promisc up
# brcfg start
# brcfg device eth1 enable
# brcfg device eth2 enable

幾分鐘以后，當網(wǎng)橋?qū)W習得到了兩端網(wǎng)端的mac地址范圍以后，將能實現(xiàn)在兩塊網(wǎng)卡之間透明地轉(zhuǎn)發(fā)數(shù)據(jù)報。

防火墻配置

防火墻本身是由ipchains軟件包來實現(xiàn)的，上面的內(nèi)核補丁添加了一個新的缺省規(guī)則鏈-bridgein，該鏈的規(guī)則作用于通過充當網(wǎng)橋的接口的數(shù)據(jù)報。由于該鏈屬于輸入鏈，每個規(guī)則必須指定接口，也就是數(shù)據(jù)報是從哪個接口進入系統(tǒng)的。每條鏈的缺省規(guī)則都被設(shè)置為ACCEPT，多條規(guī)則被加進bridgein鏈來實現(xiàn)訪問策略，最后一條規(guī)則應(yīng)該是DENY來限制沒有明確指定允許的數(shù)據(jù)報。

防火墻的訪問策略被設(shè)計為適用在如下的網(wǎng)絡(luò)拓樸中：

該設(shè)計的突出特色是：

* 所有的公共服務(wù)器(HTTPD, FTP, SMTP, SSH)位于防火墻之外；
* 所有從Internet到內(nèi)部網(wǎng)絡(luò)的數(shù)據(jù)流均經(jīng)過防火墻；
* 從受保護的內(nèi)部網(wǎng)到公共服務(wù)器的數(shù)據(jù)流不做限制；
* 內(nèi)部受保護的網(wǎng)絡(luò)到Internet的數(shù)據(jù)流都被允許；
* 從公共服務(wù)器到受保護的內(nèi)部網(wǎng)絡(luò)的數(shù)據(jù)流進行了一定的限制，只有那些實際需要的服務(wù)數(shù)據(jù)流才允許通過(輸出到內(nèi)部網(wǎng)絡(luò)的NFS、從公共郵件服務(wù)器到內(nèi)部網(wǎng)絡(luò)的SMTP數(shù)據(jù)、SSH)；
* 從Internet發(fā)起到內(nèi)部網(wǎng)絡(luò)的數(shù)據(jù)連接被禁止。

下面就是一個按照上面的原則生成ipchians規(guī)則的腳本：
Listing 2. Annotated script for Bridging Firewall Setup

#!/bin/sh
#####################################################################
# firewall.sh - set up ipchains rules for a bridging firewall
#
# Copyright (c) 2000 UK/Canada/Netherlands Joint Astronomy Centre
#
# Permission to use, copy, modify, distribute,
# and sell this software and its documentation
# for any purpose is hereby granted without fee,
# provided that the above copyright notice appear
# in all copies and that both that copyright notice
# and this permission notice appear in
# supporting documentation, and that the name
# Joint Astronomy Centre not
# be used in advertising or publicity pertaining
# to distribution of this
# software without specific, written prior
# permission.
#
# THIS SOFTWARE IS PROVIDED `AS-IS@#. THE JOINT
# ASTRONOMY CENTRE DISCLAIMS
# ALL WARRANTIES WITH REGARD TO THIS
# SOFTWARE, INCLUDING WITHOUT
# LIMITATION ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE, OR NONINFRINGEMENT.
# IN NO EVENT SHALL THE JOINT
# ASTRONOMY CENTRE BE LIABLE FOR ANY DAMAGES
# WHATSOEVER, INCLUDING SPECIAL,
# INCIDENTAL OR CONSEQUENTIAL DAMAGES,
# INCLUDING LOSS OF USE, DATA, OR
# PROFITS, EVEN IF ADVISED OF THE
# POSSIBILITY THEREOF, AND REGARDLESS OF
# WHETHER IN AN ACTION IN CONTRACT,
# TORT OR NEGLIGENCE, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
# (There. That should satisfy the lawyers.
# In Plain English, here@#s the
# software. Do whatever you want with it.
# If anything breaks, it@#s your
# fault and your problem. Don@#t come
# crying to us. We@#re not paying
# anyone for anything.)
#######################################################################
IPCHAINS=/sbin/ipchains

#############################
# Definitions
#############################
firewallhost=N.N.N.N/32 # EDIT - your firewall
# address here
mynet="" # EDIT - your network/mask
# here
Any="0.0.0.0/0"
localhost="127.0.0.1/32"
EXT_IF=eth2 # EDIT - This is the
# interface which will
# connect to the Internet
INT_IF=eth1 # EDIT - This is the
# interface which will
# connect to your
# protected network
##########################################
# Public (outside the firewall) servers
##########################################
WWW_SERVER= # EDIT - address of your
# public WWW server
FTP_SERVER= # EDIT - address of your
# public FTP server
SMTP_SERVER= # EDIT - address of your
# public mail server
INTERNAL_SMTP= # EDIT - address of your
# internal mail hub
SSH_SERVER= # EDIT - address of your
# public login (SSH) server
NNTP_SERVER= # EDIT - address of your
# upstream News server
INTERNAL_NTP= # EDIT - address of your
# internal NTP server
#############################
# Set default policies
#############################
$IPCHAINS -P input ACCEPT
$IPCHAINS -P forward ACCEPT
$IPCHAINS -P output ACCEPT
#############################
# Flush any old rules
#############################
$IPCHAINS -F
#############################
# Create 2 new chains
#############################
$IPCHAINS -N public
$IPCHAINS -N private

# Since this is a bridge, not a router,
# you really don@#t need any of these
# input rules

# forward rules

# output rules

#############################
# Bridge chain - pass packets to appropriate
# chain based on their input
# interface
#############################
# bridgein rules
$IPCHAINS -A bridgein -s $mynet -d $Any -i $INT_IF -j private
$IPCHAINS -A bridgein -s $Any -d $mynet -i $EXT_IF -j public
# Deny anything not explicitly matched in one of the other chains
$IPCHAINS -A bridgein -p tcp -s $Any -d $Any -j DENY -l
$IPCHAINS -A bridgein -s $Any -d $Any -j DENY -l

#############################
# "Public" rules - these control who/what gets to
# talk through the
# firewall from the Internet
# to your protected network
#
# These are examples - modify to suit your own
# security needs
#############################
# public rules
# ICMP - allow echo-request from the "public"
# servers back in to the
# internal net. Do we need this? In any case,
# block all echo-request
# packets from anyone else. Don@#t bother to
# log ping attempts.
# Allow some of the other useful ICMP messages
$IPCHAINS -A public -p icmp -s $mynet 8 -d $mynet -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p icmp -s $Any 8 -d $mynet -i $EXT_IF -j DENY
# ICMP - allow echo-reply from anyone, so we can ping out.
$IPCHAINS -A public -p icmp -s $mynet 0 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow destination-unreachable
$IPCHAINS -A public -p icmp -s $Any 3 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow source-quench
$IPCHAINS -A public -p icmp -s $Any 4 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow time-exceeded
$IPCHAINS -A public -p icmp -s $Any 11 -d $mynet -i $EXT_IF -j ACCEPT
# ICMP - allow parameter-problem
$IPCHAINS -A public -p icmp -s $Any 12 -d $mynet -i $EXT_IF -j ACCEPT
#######################################
# Services
#######################################
# SSH - Assumes you have a machine on the outside
# of the firewall to which
# users can login via SSH, then, once
# authenticated, connect to
# any of the protected hosts
$IPCHAINS -A public -p tcp -s $SSH_SERVER -d $mynet ssh -i $EXT_IF -j ACCEPT
# Allow replies from any SSH server anywhere
# back in - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any ssh -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# Telnet - allow replies from telnet servers
# back in - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any telnet -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# WWW - allow replies from standard HTTP/HTTPS
# servers - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any www -d $mynet -i $EXT_IF -j ACCEPT ! -y
$IPCHAINS -A public -p tcp -s $Any https -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# FTP - Allow replies from external FTP servers
# - only if SYN not set
$IPCHAINS -A public -p tcp -s $Any ftp -d $mynet -i $EXT_IF -j ACCEPT ! -y
$IPCHAINS -A public -p tcp -s $Any ftp-data -d $mynet -i $EXT_IF -j ACCEPT ! -y
#######################################
# SMTP - only allow incoming Email from the
# "public" server to the internal hub
$IPCHAINS -A public -p tcp -s $SMTP_SERVER -d $INTERNAL_SMTP smtp -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p tcp -s $SMTP_SERVER smtp -d $INTERNAL_SMTP -i $EXT_IF -j ACCEPT ! -y
#######################################
# WHOIS - allow replies from any WHOIS server
$IPCHAINS -A public -p tcp -s $Any whois -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# Finger - allow replies from any finger server
$IPCHAINS -A public -p tcp -s $Any finger -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# Auth - allow IDENT replies
$IPCHAINS -A public -p tcp -s $Any auth -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# News - allow replies from the NNTP server
$IPCHAINS -A public -p tcp -s $NNTP_SERVER nntp -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# NTP - let your internal NTP server synchronize
# with a clock somewhere.
# For better security, specify the external
# NTP servers.
$IPCHAINS -A public -p udp -s $Any ntp -d $INTERNAL_NTP ntp -i $EXT_IF -j ACCEPT
#######################################
# DNS - allow DNS replies back in
$IPCHAINS -A public -p udp -s $Any domain -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p tcp -s $Any domain -d $mynet 1024:65535 -i $EXT_IF -j ACCEPT ! -y
#######################################
# NFS - let internal hosts mount disks from
# the "public" servers.
# Do we need this?
$IPCHAINS -A public -p tcp -s $mynet 2049 -d $mynet -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p tcp -s $mynet -d $mynet 2049 -i $EXT_IF -j ACCEPT
#######################################
# RPC - let the "public" servers contact the
# portmapper on internal hosts.
# Do we need this?
$IPCHAINS -A public -p udp -s $mynet 0:1023 -d $mynet sunrpc -i $EXT_IF -j ACCEPT
#######################################
# UDP - Allow general UDP traffic between
# "public" and "protected" hosts.
# Do we need this?
$IPCHAINS -A public -p udp -s $mynet 0:1023 -d $mynet -i $EXT_IF -j ACCEPT
$IPCHAINS -A public -p udp -s $mynet 1024:65535 -d $mynet -i $EXT_IF -j ACCEPT
#######################################
# Established connections from unprivileged ports
$IPCHAINS -A public -p tcp -s $Any 1024:65535 -d $mynet -i $EXT_IF -j ACCEPT ! -y
# Deny (and log!) everything not explicitly allowed
$IPCHAINS -A public -s $Any -d $Any -i $EXT_IF -j DENY -l

######################################
# "Private" rules - these control which internal
# hosts can talk through the
# firewall, and to whom
#
# In most cases, these should be fairly liberal.
######################################
# private rules
######################################
# ICMP - Allow echo replies back out to the
# "public" servers, as well as
# allowing some of the more useful
# messages back out to anyone.
$IPCHAINS -A private -p icmp -s $mynet 0 -d $mynet -i $INT_IF -j ACCEPT
# ICMP - Allow echo-request
$IPCHAINS -A private -p icmp -s $mynet 8 -d $Any -i $INT_IF -j ACCEPT
# ICMP - Allow destination-unreachable
$IPCHAINS -A private -p icmp -s $mynet 3 -d $Any -i $INT_IF -j ACCEPT
# ICMP - allow source-quench
$IPCHAINS -A private -p icmp -s $mynet 4 -d $Any -i $INT_IF -j ACCEPT
# ICMP - allow time-exceeded
$IPCHAINS -A private -p icmp -s $mynet 11 -d $Any -i $INT_IF -j ACCEPT
# ICMP - Allow parameter-problem
$IPCHAINS -A private -p icmp -s $mynet 12 -d $Any -i $INT_IF -j ACCEPT
######################################
# Services
######################################
# SMTP - restrict SMTP to only between
# the "public" server and the internal
# mailhub. Log any unauthorized attempts
$IPCHAINS -A private -p tcp -s $INTERNAL_SMTP -d $SMTP_SERVER smtp -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p tcp -s $mynet -d $Any smtp -i $INT_IF -j DENY -l
#####################################
# Pretty much allow anything else.
$IPCHAINS -A private -p tcp -s $mynet 0:1023 -d $Any -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p tcp -s $mynet 1024:65535 -d $Any -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p udp -s $mynet 0:1023 -d $Any -i $INT_IF -j ACCEPT
$IPCHAINS -A private -p udp -s $mynet 1024:65535 -d $Any -i $INT_IF -j ACCEPT

若希望更多的了解如何定義ipchains規(guī)則，請參考IPCHAINS HOWTO：

.

其他工具

防火墻系統(tǒng)的一個有用的工具就是snort的入侵檢測系統(tǒng)(IDS)，snort是通過定義一個數(shù)據(jù)報過濾規(guī)則集來檢測常見的網(wǎng)絡(luò)入侵行為。隨著新的入侵手段的出現(xiàn)，snort的規(guī)則庫也在不斷更新，Snort可以被配置為發(fā)送告警到Log文件，或通過就email等方式通知管理員。它甚至可以配置為發(fā)現(xiàn)入侵行為時自動添加阻塞規(guī)則來防止入侵進一步進行，雖然該特性還不夠完善。Snort及一些相關(guān)的腳本可以在 得到.

Gfcc是一個非常不錯的圖形方式察看及修改防火墻規(guī)則的工具�？稍趇carus.autostock.co.kr下載該工具。

啟動配置

橋和防火墻應(yīng)該在系統(tǒng)的網(wǎng)絡(luò)部分啟動以后馬上啟動，下面的腳本將用來啟動防火墻，設(shè)置和啟動橋，最后再啟動Snort。這里假設(shè)上面的防火墻腳本定義在/etc/firewall。本腳本應(yīng)該被安裝在/etc/rc.d/init.d/bridge。安裝該腳本以后，運行chkconfig bridge on來安裝適當?shù)倪\行級別鏈接。

Listing 3. script for Starting the Firewall
#!/bin/bash
#
# bridge This shell script takes care of installing bridging for dsl
#
# description: Uses brcfg to start bridging and ifconfigs eths
# processname: bridge
# config:

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# See how we were called.
case "$1" in
start)
echo -n "Configuring firewall rules:"
/etc/firewall
echo
echo -n "Configuring bridge: "
ifconfig eth1 promisc up
ifconfig eth2 promisc up
brcfg start
brcfg device eth1 enable
brcfg device eth2 enable
echo
echo "Starting Snort: "
/usr/local/bin/snort -c /usr/local/etc/snort/snort-lib -s -i eth2 -D
echo
;;
stop)
# Stop daemons.
brcfg stop
ifconfig eth1 -promisc down
ifconfig eth2 -promisc down
;;
restart)
$0 stop
$0 start
;;
status)
brcfg
;;
*)
echo "Usage: bridge {start|stop|restart|status}"
exit 1
esac

exit 0
Uses

應(yīng)用

一個包過濾橋在很多情況下都非常有用。它是一個實現(xiàn)在一個現(xiàn)有網(wǎng)絡(luò)中添加防火墻的快速且易于實現(xiàn)的方法，而無需修改網(wǎng)絡(luò)地址分配或者使用NAT。它同樣可以用于在局域網(wǎng)上創(chuàng)建受保護或受限制的子網(wǎng)。而且由于橋接口對外沒有IP地址，并且不運行任何IP協(xié)議棧，因此很多常見的入侵攻擊及DOS攻擊都對它不會產(chǎn)生威脅。

關(guān)鍵字：網(wǎng)橋、子網(wǎng)、接口