I want a one machine firewall rather than a two machine firewall just cause it will be easier to maintain. I don't get my wish. I could have my wish if I compromised slightly on the security of the firewall. But, as a credit reseller, compromising security is a VERY bad idea.
Here's the set up. The one machine firewall has three nics (0, 1, and 2). Nics 1 and 2 are bridged. Nic 1 is connected to the DMZ and nic 2 is connected to the WAN. Nic 0 is connected to the LAN and provides gateway and dhcpd services to the machines on the LAN. iptables on the machines is taking care of NAT for the LAN.
It is my wish to have the bridge set up without an ip address. The bridge is then invisible. It can filter packets and other wonderful chores and be more or less impossible to break into from the outside world.
All seems well and good. Machines in the DMZ respond to service requests as they should. Traffic flows both ways exactly as if the bridge were a single run of CAT5. Perfect.
The LAN machines can send out all the packets they want. Those packets go out into the world carrying the public ip address assigned by the natting rules. BUT, and it's a big but, the outside world can't send anything back. An arp request for "who owns public_ip" is completely ignored by the bridge. Therefore nobody owns it and the packets are just dumped on the floor.
The only way to make the LAN talk to the world is to assign the public_ip to the bridge. That works. Everything works exactly like I want the firewall to work. EXCEPT the bridge is now visible to the outside world.
I have looked high and low through the the various websites, books, how tos and so forth for a solution. The only solution I have found is to separate the bridge machine from the lan machine.
Whether I want to or not, I'm going to have two firewall machines. One an invisible packet-routing bridge from the WAN to the DMZ and another firewall hooked into the DMZ that protects the LAN.
Life goes on. I am learning more and more and more about how to firewall.
I'm learning more about what kinds of packets are racing through the Internet, too. I'm going to build a set of iptables rules for each machine that are vigorous.
Then I need, yet another, private machine. It will connect to the webserver on a private network that insists on tls client/server two way authentication. I haven't quite figured out this configuration yet. The webserver has to be able to talk with that machine but the rest of the world must NOT be able to talk to that machine. Even if the webserver has hacked. How in the world am I going to accomplish that!?
I don't think it is possible and I don't think tls will help. Nobody will be able to be a man-in-the-middle of a three-foot CAT5! It might be a case of security through obscurity. That is a dangerous way to think, but what a machine can prevent, a human can figure out how to circumvent.
Sigh.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}