Here's the deal guys:

I'm a student at the Universtiy of Illinois, and the place that I live was recently hit really hard by the variety of Windows worms that propagated here and elsewhere. I thought about this for a while and realized that a decent firewall should have stopped this, except, OOPS, the ISP was never contracted to perform and connection monitoring / filtering, and it was a "detail" of the network installation that was simply overlooked. (I went downstairs to find a piece of cat5e plugged straight from the demarc to the switches...the horror)

Anyway I've been with the community for a few years now, and I have decided that I should make it my project to learn the essentials of Linux system administration.

I scraped up some spare hardware we had and managed to put together a 433Mhz celeron box w/80MB of RAM. I threw a stage1 gentoo install onto it, and a few days later, had a working system.

I then proceeded to implement a bridge, because that would be the most transparent option in terms of the ISP and the reconfiguration overhead. This was supposed to be a packet-filtering bridge. I then learned that kernel patch was needed to make the bridge code support iptables filtering, so I got the patch - but this required a downgrade from kernel 2.4.22 to 2.4.19.

As yet, I haven't been able to find a patch that will make the latest stable kernel able to perform bridge packet filtering. I want to run the latest kernel because that's the one gentoo comes with, and having gentoo's emerge functionality to keep track of all the necessary updates, let me tell you, is a beautiful thing.

So, in summary, I am wondering what kernel I should run to create the bridge/firewall setup I want to create, and how to get it. In case anybody was wondering, this machine will serve 100 clients with an aggregate bandwidth of 10Mbps (average utilization ~ %5) to the provider.

Truthfully, I'm not sure I would even need to patch 2.4.19 because the only things running on the box are ssh, and the firewall - and I think that most exploits require shell access to the machine - but just in case I need to provide shell access, how can I secure this at the kernel level? Any help would be appreciated. Sorry about the length.

David Albrecht, U of I '07, Computer Engineering

I guess the ipbridging option doesnt require patch in the latest kernel...
do check that out

I've since done a little more looking, and found that the "ebtables" package will serve my needs.

http://sourceforge.net/project/showf...group_id=39571

However, I still am wondering how I can keep the kernel patched with the mainline 2.6.0 source tree. Does anyone know if the author of ebtables intends to keep the patch functional with the newer kernels, or if ebtables is slated for integration with the main kernel sources anytime soon?

Might as well answer my own question since inevitably someone will find this post:

You don't need a patch in the 2.4.22 or better kernels, HOWEVER, it is necessary to disable "Fast network address translation" in the kernel configuration - this option tells the kernel to short-circuit certain types of packets past the iptables framework. This reduces the latency, but kills all filtering/inspection of packets that take this "fast track", including all bridge traffic.

Another interesting tool I was able to find was "ebtables" - sort of like an iptables, but it works more on layer 2 protocols - such as ip, ipx, etc...do check it out if you need this sort of filtering

http://ebtables.sourceforge.net/

Until then, peace.