|
Can’t
you just set iptables to allow new packets from the bridge, as well as
established connections to the bridge, then reject
everything else inbound? I was going to say that you wouldn’t
need to allow any packets to hit the bridge IP at all, since logging to a
central server (unencrypted) seems to be all one way and doesn’t actually
establish a two-way connection (although I might be wrong about this), but I’m
guessing you’re using SSH, so that wouldn’t work. Of course, once you assign an IP to the
bridge, even if you have an iptables rule to drop everything, it still leaves
an obvious black hole in any portscans.
Gotta be really careful if you want to avoid that. Anyhow, hope this helps. Eric -----Original Message----- Hello all. I'd like to start by saying that I
love this code. It works really, really well. I use it at home and
will be putting into place at work in coming months. Now, on to my question: From what I gather from the previous posts/mails, the
only (or at least best, working) way to communicate with the bridge is to put
an IP on 'br0'. I don't really want to do that. I do, however, want
the boxes to log to a central server. Is there any way that this can be
accomplished without putting an IP where the outside world can get at it? I realize that using a 'private-space' subnet would
limit visibility, but I'm not sure that this adds any security. With the
right iptables rules, you could be pretty certain that only inside hosts can
talk to the bridge. However, it would not be too terribly difficult to
use a compromised box to 'reflect' packets back at the bridge from the
inside. I'm probably moving off into paranoia-land here, but I'd sleep
better at night if those boxes weren't accessible to the network at large. Any ideas? Maybe I could script the IP address off and on as
needed? Maybe I don't actually need an IP, but I'd bet that I do.
This area is where my *nix gets pretty weak. |
Title: 'Invisible' Bridges and logging
- [Bridge] 'Invisible' Bridges and logging Bob McDowell
- RE: [Bridge] 'Invisible' Bridges and logging Eric Low
- RE: [Bridge] 'Invisible' Bridges and logging Bob McDowell
- RE: [Bridge] 'Invisible' Bridges and logging Eric Low
