Wednesday, December 20, 2023

Re: Bridging firewall and ntpd

Den tis 19 dec. 2023 kl 23:57 skrev Karel Lucas <cahlucas@planet.nl>:

>
> Hi all,
>
> I am creating a bridging firewall, and am wondering if it is possible to
> use the ntp daemon to ensure that all log files are timed correctly. Is
> there a way to achieve that despite the fact that the network
> connections do not have an IP address?
>

I did some of that in the early 2000s, and it wasn't as good an idea as I
had imagined it to be.
We put an extra eth interface on the box, and had that one on the inside
network range, so it could log and be administered via it, then had some
rules that allowed certain outside ips to traverse the bridging fw to the
inside, and then reach the inside of the fw.

But all in all, that was just a workaround for a bad network setup where we
got a /24 from our ISP, but not a transport network for our outside of the
fw. I would not do it like that again, I noticed how nice it actually is to
be able to use layer-3 tools like ping and traceroute and so on, even if it
felt secretive and hip to have an "invisible" fw. I think most people that
have tried L2 firewalling end up moving away from it if they can, just
because of the poor visibility you get when you run firewalls on top of
bridges.

--
May the most significant bit of your life be positive.

No comments:

Post a Comment