Firewalling using packet filters is usually done in router mode. The packet filtering software decides wether the packet will be forwarded/routed or not.

Installing a firewall in an existing network architecture often requires the modification of networks and ip addresses. If the firewall device functions as a bridge no change is needed. The firewall is just placed in between the machines to be firewalled. Additionally the firewall is invisible on IP-layer.

Unfortunately not very much documentation exists covering the setup of a bridging firewall on Linux although Linux offers a very advanced stateful packet filtering machinery (netfilter).

This talk will start with a comparison of routing and bridging. I will explain the different approaches to decide wether a packet will be forwarded.

Then an introduction to bridging code will be given. I will cover the ideas behind the Linux bridging code and its interaction with the netfilter code. The usage of the different netfilter tables and chains regarding the bridging code will be covered. Once the technical aspects of bridging are covered a bridging firewall will be configured and demonstrated. This will include the demonstration of the application of the bridging patch and the usage of the bridge utility.

The talk will conclude giving some examples of future uses of bridge firewalls.

The level is intermediate. The audience is expected to know netfilter/iptables basics.

The Author has used Linux for the last 8 years. Since 1996 he worked as a scientific assistant at the Center for Molecular Biology of Inflammation at the University of Münster. There he worked on several bio-informatics projects and was the head of the network administration and security group. The last 3.5 years he worked as a freelancer in the Linux/UNIX field. Most of the time he provides Linux/UNIX training. His specialty is network administration and security (firewalling, VPNs, intrusion detection). He has developed several training classes used by Red Hat and GfN.