transparent_bridging

This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.



Subject: Re: transparent bridging .. (I think thats what it's called)
From: Jerry Winegarden <jbw@oit.duke.edu>
Date: Tue, 14 Dec 1999 21:17:00 -0500 (EST)


On Mon, 13 Dec 1999, Mohammad A. Haque wrote:

> Anyone know how to setup (if possible) a transparent bridge using linux?
> 
> basically need my network to look like this without subnetting...
> 
> [ DSL router ]---[ linux bridge ]-----[  DNS/SMTP/HTTP machine ]
>                  eth0          eth1
> 
> I know freebsd can do it . Wondering if linux can.
> 

The answer is definitely - yes, but...  You really should use
IP Masquerading (via IP Chains) and include portforwarding to
allow access through your firewall for one web server, one mail server,
one ftp server, or one of whatever network server you want.  This
means:  you will look like ONE MACHINE to the ISP, you will have a
firewall to protect you (some) from bad guys, and you will still be
able to have your web server accessible from outside. 

The IP Masq is easy (the IP Masq HOWTO and there are web sites that
will produce your rc.firewall script with the proper invocations of
the ipchains command or the IP 
Masquerade HOWTO has an example a (semi)strong firewall script.  
If you have a recent enough version of RedHat (e.g. 6.x), IP Chains support
will be present in your kernel.

You may also want to run dhcpd on your linux box for your internal LAN.
Are you sure you want to run a DNS server that's accessible from the
outside?  A caching-nameserver is a pretty good idea, since it would
reduce the number of lookups out over your (slower) DSL connection.
However, what "publicly accessible" internet domain would you be
providing name SERVICE for?  All of your machines are on a "private
local" network if you put them behind your ip masq box/firewall.
With no maintenance requirements on your part (as there are with regular
DNS servers), you point to your caching nameserver first (it remembers
all your DNS requests/answers and builds a table dynamically) and
then to your ISP's DNS server (if you haven't been there yet).
What names/addresses are there that you have to make available to
others not on your local LAN?  That would be the only reason to have
a port forward for DNS requests from outside.

===


the rest of The Pile (a partial mailing list archive)

doom@kzsu.stanford.edu