 |
FirewallBuilder |
|
Search Users Guide
On Linux firewalls, the script generated by Firewall Builder can create and remove bridge interfaces such as "br0" and also add and remove regular Ethernet interfaces as bridge ports. For the firewall script to manage bridge interfaces this option must be enabled as shown in Section 9.6.1. By default, this option is disabled.
As with IP addresses and vlans, the script manages bridge incrementally. It compares actual configuration of the firewall with objects defined in the Firewall Builder GUI and then adds or removes bridge interfaces and bridge ports. Running the same script multiple times does not make any unnecessary changes on the firewall. If actual configuration matches objects created in the Firewall Builder GUI, script does not perform any actions and just exits.
The script uses utility brctl to configure the bridge. It checks if the utility is present on the firewall machine and aborts execution if it is not found. If this utility is installed in an unusual place on your machine, you can configure the path to it in the "Host OS" settings dialog of the firewall object.
To illustrate bridge management on Linux, consider the firewall object "linux-test-bridge-1" shown on Figure 9.23:
To build the bridge, I need to create bridge interface "br0". This interface is just regular child object of the firewall object in the tree, to create it, select the firewall and right-click to open the context menu, then choose the item "New Interface". The new interface is created with generic name "Interface", rename it to "br0". At this point we have interfaces br0, eth1, and eth2 but the latter two are not configured as bridge ports yet. Interface br0 is not a bridge yet, either.
To make br0 a bridge, open it in the editor by double-clicking it in the tree and then click the "Advanced Interface Settings" button. This opens a dialog where you can change the interface type and configure some parameters. Set the type to "bridge" and turn STP on if you need it.
To make eth1 and eth2 bridge ports, use Cut and Paste operations on the objects in the tree. Paste both interface objects into the br0 interface so that they move to the position right under it in the tree as shown in Figure 9.26. Notice how the program automatically recognized them as bridge ports and showed this in the second column of the tree.
Note
I have started with a firewall object that already had interface objects for eth1 and eth2, but this is not necessary. You can add bridge ports by creating new interface objects under the bridge interface using the right-click context menu and selecting "New Interface".
Notice that bridge ports cannot have IP addresses of their own and corresponding items in the context menu are disabled:
To complete interface configuration, we need to add an IP address to interface br0 if it needs one. I am going to add address 10.1.1.1/24 to test with. Then I can compile and run the script on the firewall.
The firewall machine where I am going to run generated script has interfaces eth0, eth1, and eth2 but does not have interface br0 yet. Interfaces eth1 and eth2 are not configured as bridge ports. Lets see how the script generated by Firewall Builder reconfigures this machine:
root@linux-test-1:~# /etc/fw/linux-test-bridge-1.fw interfaces
Activating firewall script generated Fri Feb 26 16:53:05 2010 by vadim
Running prolog script
# Creating bridge interface
# Updating bridge configuration: addif br0 eth1
# Updating bridge configuration: addif br0 eth2
# Adding ip address: br0 10.1.1.1/24
Verifying interfaces: lo eth0 br0 eth1 eth2
Using ip and brctl tools to verify configuration:
root@linux-test-1:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:1e:dc:aa brd ff:ff:ff:ff:ff:ff
inet 10.3.14.108/24 brd 10.3.14.255 scope global eth0
inet6 fe80::20c:29ff:fe1e:dcaa/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:1e:dc:be brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fe1e:dcbe/64 scope link
valid_lft forever preferred_lft forever
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 scope global br0
inet6 fe80::18cb:52ff:fe4b:c6b1/64 scope link
valid_lft forever preferred_lft forever
root@linux-test-1:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000c291edcb4 no eth1
eth2
Now I am going to add another bridge port eth3 to br0, recompile the script, and run it on the firewall. First, add eth3 bridge port in the GUI:
root@linux-test-1:~# /etc/fw/linux-test-bridge-1.fw interfaces
# Updating bridge configuration: addif br0 eth3
All the script did is add eth3 to br0 bridge. New bridge configuration looks like this:
root@linux-test-1:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000c291edcb4 no eth1
eth2
eth3
Tip
The change that added eth3 to the bridge caused a bridge loop and consequently nasty ARP storm inside my VMWare ESXi server where the virtual machine I used to test bridge configuration was running. I had three virtual switches but I forgot that eth2 and eth3 were attached to the same virtual switch. Needless to say, this ARP storm promptly killed ESXi. Now I am using the traffic shaping feature in ESXi to throttle traffic on the back-end virtual switches that I am using only for testing. Beware of bridge loops when you work with bridging firewalls.
Now let's remove the bridge port in the GUI and see what happens. I am going to delete object eth3 in the GUI, recompile, and run the script on the firewall again:
root@linux-test-1:~# /etc/fw/linux-test-bridge-1.fw interfaces
# Updating bridge configuration: delif br0 eth3
root@linux-test-1:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000c291edcb4 no eth1
eth2
As expected, the script returned the bridge configuration to the state it was in before I added eth3.
Firewall Builder can generate configuration for the bridging firewall using VLAN interfaces as bridge ports; however, there is a twist to this. Recall from Section 9.5 that VLANs are created in Firewall Builder as subinterfaces under their respective parent interface. That is, the VLAN interface "eth1.100" is an interface object that sits in the tree right under interface "eth1":
As we have seen in Section 9.6.2 and Section 9.6.2.1, bridge ports are also represented by interface objects located in the tree under corresponding bridge interface, as shown in Figure 9.30:
If we want eth1.100 to work as a bridge port, it must be created twice, once as a child of interface eth1 and second time as a child of interface br0. The first copy represents it as a VLAN subinterface while the second one represents a bridge port.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.