Running a Port Forwarding Firewall System on a Bridge

T. Eggendorfer and D. Weber (Germany)


Bridge, Port-Forwarding, Network-Management, Security, DMZ


Today on the perimeter of a small network a firewall is installed on a router. Towards the inner network, there is a demilitarised zone (DMZ) and the local network (LAN). Servers accessible from the Internet are located in the DMZ, the additional firewall to the LAN increases security. Routing decisions are usually based on the destination IP address. In systems, where due to IP availability restrictions only the external router has an official IP address and all machines within in the DMZ use private IPs, it determines where to route a packet according to the TCP or UDP destination port and rewrites the destination IP accordingly. Outgoing connections from DMZ-servers are net address translated (NAT). This rewriting on both sides might have an impact on several security systems. Therefore, the authors propose to use an IP-less device to direct network traffic depending on its destination port. This paper describes the usage of an ISO/OSI level 2 device, a bridge, to make those routing decisions usually made on a higher level. This allows two or more devices to share the same IP without the need for network address translation. Several methods to allow those systems sharing the same IP to intercommunicate without modifying their network stack are also proposed. We report on our sample implementation on a Linux bridge.

Important Links:

Go Back