RE: [Bridge] 'Invisible' Bridges and logging

[Eric Low]

Title: 'Invisible' Bridges and logging

I would think that this would be enough to allow logging from your bridge to a logging server:       iptables –A  INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT     iptables -P INPUT DROP   That’s assuming that everything is allowed through your OUTPUT, PREROUTING and POSTROUTING chains.  Are the packets hitting the log server?  If you’re sending the logs in clear-text, I don’t believe these rules are required at all.  Are you seeing anything arrive back using tcpdump on br0?  What version of the bridge patch and kernel are you using?   Eric   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bob McDowell Sent: Thursday, November 21, 2002 6:15 PM To: [EMAIL PROTECTED] Subject: RE: [Bridge] 'Invisible' Bridges and logging   This doesn't seem to be working.  I'm sure it is my iptables configuration, but maybe someone could clarify this for me:  where do I put this rule?  My first thought was on a FORWARD rule, like everything else - but this doesn't work.  I can put it on an INPUT rule, but this seems to shut the IP down completely.  I've never used INPUT before.  Maybe I need to look over the how-to again. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Low Sent: Wednesday, November 20, 2002 4:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Bridge] 'Invisible' Bridges and logging Can’t you just set iptables to allow new packets from the bridge, as well as established connections to the bridge, then reject everything else inbound?   I was going to say that you wouldn’t need to allow any packets to hit the bridge IP at all, since logging to a central server (unencrypted) seems to be all one way and doesn’t actually establish a two-way connection (although I might be wrong about this), but I’m guessing you’re using SSH, so that wouldn’t work.    Of course, once you assign an IP to the bridge, even if you have an iptables rule to drop everything, it still leaves an obvious black hole in any portscans.  Gotta be really careful if you want to avoid that.   Anyhow, hope this helps. Eric     -----Original Message----- From: Bob McDowell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 4:59 PM To: [EMAIL PROTECTED] Subject: [Bridge] 'Invisible' Bridges and logging     Hello all.  I'd like to start by saying that I love this code.  It works really, really well.  I use it at home and will be putting into place at work in coming months.  Now, on to my question: From what I gather from the previous posts/mails, the only (or at least best, working) way to communicate with the bridge is to put an IP on 'br0'.  I don't really want to do that.  I do, however, want the boxes to log to a central server.  Is there any way that this can be accomplished without putting an IP where the outside world can get at it? I realize that using a 'private-space' subnet would limit visibility, but I'm not sure that this adds any security.  With the right iptables rules, you could be pretty certain that only inside hosts can talk to the bridge.  However, it would not be too terribly difficult to use a compromised box to 'reflect' packets back at the bridge from the inside.  I'm probably moving off into paranoia-land here, but I'd sleep better at night if those boxes weren't accessible to the network at large. Any ideas? Maybe I could script the IP address off and on as needed?  Maybe I don't actually need an IP, but I'd bet that I do.  This area is where my *nix gets pretty weak.