RE: [Bridge] 'Invisible' Bridges and logging

[Eric Low]

Title: 'Invisible' Bridges and logging

Can’t you just set iptables to allow new packets from the bridge, as well as established connections to the bridge, then reject everything else inbound?   I was going to say that you wouldn’t need to allow any packets to hit the bridge IP at all, since logging to a central server (unencrypted) seems to be all one way and doesn’t actually establish a two-way connection (although I might be wrong about this), but I’m guessing you’re using SSH, so that wouldn’t work.    Of course, once you assign an IP to the bridge, even if you have an iptables rule to drop everything, it still leaves an obvious black hole in any portscans.  Gotta be really careful if you want to avoid that.   Anyhow, hope this helps. Eric     -----Original Message----- From: Bob McDowell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 4:59 PM To: [EMAIL PROTECTED] Subject: [Bridge] 'Invisible' Bridges and logging     Hello all.  I'd like to start by saying that I love this code.  It works really, really well.  I use it at home and will be putting into place at work in coming months.  Now, on to my question: From what I gather from the previous posts/mails, the only (or at least best, working) way to communicate with the bridge is to put an IP on 'br0'.  I don't really want to do that.  I do, however, want the boxes to log to a central server.  Is there any way that this can be accomplished without putting an IP where the outside world can get at it? I realize that using a 'private-space' subnet would limit visibility, but I'm not sure that this adds any security.  With the right iptables rules, you could be pretty certain that only inside hosts can talk to the bridge.  However, it would not be too terribly difficult to use a compromised box to 'reflect' packets back at the bridge from the inside.  I'm probably moving off into paranoia-land here, but I'd sleep better at night if those boxes weren't accessible to the network at large. Any ideas? Maybe I could script the IP address off and on as needed?  Maybe I don't actually need an IP, but I'd bet that I do.  This area is where my *nix gets pretty weak.