[보안] Bridge Howto 문서

Getting the software

Bridging is supported in the current 2.4 (and 2.6) kernels from all the major distributors. The required administration utilities are in the bridge-utils package.

You can also build your own up to date version by getting the latest kernel from kernel.org and build the utilities based on the code on the downloads page.

Setting Up The Bridge

Network cards

Before you start make sure both network cards are set up and working properly. Don’t set the IP address, and don’t let the startup scripts run DHCP on the ethernet interfaces either. The IP address needs to be set after the bridge has been configured.

The command “ifconfig” should show both network cards, and they should have be DOWN.

Module loading

In most cases, the bridge code is built as a module. If the module is configured and installed correctly, it will get automatically loaded on the first brctl command.

If your bridge-utilities have been correctly built and your kernel and bridge-module are OK, then issuing a brctl should show a small command synopsis.

# brctl

Bridge firewalling registered

commands:

        addbr           <bridge>                add bridge

        addif           <bridge> <device>       add interface to bridge

        delbr           <bridge>                delete bridge

        delif           <bridge> <device>       delete interface from bridge

        show                                    show a list of bridges

        showmacs        <bridge>                show a list of mac addrs

        showstp         <bridge>                show bridge stp info

        setageing       <bridge> <time>         set ageing time

        setbridgeprio   <bridge> <prio>         set bridge priority

        setfd           <bridge> <time>         set bridge forward delay

        setgcint        <bridge> <time>         set garbage collection interval

        sethello        <bridge> <time>         set hello time                  

        setmaxage       <bridge> <time>         set max message age            

        setpathcost     <bridge> <port> <cost>  set path cost                  

        setportprio     <bridge> <port> <prio>  set port priority              

        stp             <bridge> <state>        turn stp on/off

Creating a bridge device

The command

    brctl addbr bridgename

creates a logical bridge instance with the name bridgename. You will need at least one logical instance to do any bridging at all. You can interpret the logical bridge being a container for the interfaces taking part in the bridging. Each bridging instance is represented by a new network interface.

Deleting a bridge device

The corresponding “shutdown” command is:

    brctl delbr bridgename

Adding devices to a bridge

The command

    brctl addif bridgename device

adds the network device device to take part in the bridging of bridgename. All the devices contained in a bridge act as one big network. It is not possible to add a device to multiple bridges or bridge a bridge device, because it just wouldn’t make any sense! The bridge will take a short amount of time when a device is added to learn the Ethernet addresses on the segment before starting to forward.

Deleting devices from a bridge

The corresponding command to take an interface out of the bridge is:

    brctl delif bridgename device

Showing devices in a bridge

The brctl show command gives you a summary about the overall bridge status, and the instances running as shown below:

# brctl addbr br549

# brctl addif br549 eth0

# brctl addif br549 eth1

# brctl show

bridge name     bridge id               STP enabled     interfaces

br549           8000.00004c9f0bd2       no              eth0

                                                        eth1

Once a bridge is running the brctl showmacs will show information about network addresses of traffic being forwarded (and the bridge itself).

# brctl showmacs br549

port no mac addr                is local?       ageing timer

  1     00:00:4c:9f:0b:ae       no                17.84

  1     00:00:4c:9f:0b:d2       yes                0.00

  2     00:00:4c:9f:0b:d3       yes                0.00

  1     00:02:55:1a:35:09       no                53.84

  1     00:02:55:1a:82:87       no                11.53

  1     00:02:b3:09:eb:de       no                43.12

  1     00:02:b3:11:d4:8d       no                 2.66

  1     00:02:b3:11:e1:1e       no                13.19

  1     00:02:b3:11:e9:ad       no                26.67

  1     00:02:b3:11:f0:ab       no                 0.66

  1     00:02:b3:11:f1:99       no                35.34

  1     00:02:b3:3d:d1:08       no                12.80

  1     00:02:b3:3d:d1:4b       no                21.76

  1     00:02:e3:00:08:ff       no                43.12

  1     00:02:e3:00:0c:19       no                46.68

  1     00:03:47:4c:4b:4c       no                40.86

  1     00:03:93:73:cd:dc       no                38.91

  1     00:04:80:26:b9:60       no                 0.85

  1     00:04:80:29:5a:00       no                10.22

  1     00:08:83:dc:38:e7       no                55.61

  1     00:09:6b:58:c6:1d       no                16.53

  1     00:30:c1:ad:70:c5       no                13.68

  1     00:b0:d0:b0:63:ca       no                 9.29

  1     00:c0:a8:7b:b6:14       no                64.16

  1     00:d0:b7:a9:3f:b8       no                 4.91

  1     00:d0:b7:a9:44:60       no                 0.02

The aging time is the number of seconds a MAC address will be kept in the forwarding database after having received a packet from this MAC address. The entries in the forwarding database are periodically timed out to ensure they won’t stay around forever. Normally there should be no need to modify this parameter, but it can be changed with:

    brctl setageing time

Time is in seconds.

Spanning Tree Protocol

If you are running multiple or redundant bridges, then you need to enable the Spanning Tree Protocol (STP) to handle multiple hops and avoid cyclic routes. More information about on the STP page.

Enabling STP is done via:

    brctl stp bridgename on

You can see the STP paramaters with:

# brctl showstp br549

br549

bridge id              8000.00004c9f0bd2

designated root        0000.000480295a00

root port                 1                    path cost                104

max age                  20.00                 bridge max age           200.00

hello time                2.00                 bridge hello time         20.00

forward delay           150.00                 bridge forward delay      15.00

ageing time             300.00                 gc interval                0.00

hello timer               0.00                 tcn timer                  0.00

topology change timer     0.00                 gc timer                   0.33

flags

eth0 (1)

port id                8001                    state                   forwarding

designated root        0000.000480295a00       path cost                100

designated bridge      001e.00048026b901       message age timer         17.84

designated port        80c1                    forward delay timer        0.00

designated cost           4                    hold timer                 0.00

flags

eth1 (2)

port id                8002                    state                   disabled

designated root        8000.00004c9f0bd2       path cost                100

designated bridge      8000.00004c9f0bd2       message age timer          0.00

designated port        8002                    forward delay timer        0.00

designated cost           0                    hold timer                 0.00

flags

STP tuning

Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code. Each has a priority and a cost, that is used to decide which is the shortest path to forward a packet. The lowest cost path is always used unless the other path is down. If you have multiple bridges and interfaces then you may need to adjust the priorities to achieve optimium performance.

brctl setbridgeprio bridgename priority

The bridge with the lowest priority will be elected as the root bridge. The root bridge is the “central” bridge in the spanning tree.

brctl setfd bridge time

Set forwarding delay time is the time spent in each of the Listening and Learning states before the Forwarding state is entered.

brctl sethello bridge time

Sets the hello time. Every (this number) seconds, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network.

brctl maxage bridge time

Sets the maximum message age. If the last seen (received) hello packet is more than this number of seconds old, the bridge in question will start the takeover procedure in attempt to become the Root Bridge itself.

brctl setpathcost bridge port cost

Sets the cost of sending a packet on this interface. Faster interfaces should have lower path costs. These values are used in the computation of the minimal spanning tree. Paths with lower costs are likelier to be used in the spanning tree than high-cost paths (As an example, think of a gigabit line with a 100Mbit or 10Mbit line as a backup line. You don’t want the 10/100Mbit line to become the primary line there.)

The Linux implementation currently sets the path cost of all eth* interfaces to 100, the nominal cost for a 10Mbit connection. There is unfortunately no easy way to discern 10Mbit from 100Mbit from 1Gbit Ethernet cards, so the bridge cannot use the real interface speed.

brctl setportprio bridgename port priority

Sets the priority of ports with eqaul cost. You can use this to control which port gets used when there are redundant paths. These parameters are only of interest, if you have more than one bridge in your LAN and stp enabled.

Sample setup

The basic setup of a bridge is done like:

Zero IP the interfaces. The bridge needs the network devices to be operational, but without TCP/IP running on them.

# ifconfig eth0 0.0.0.0

# ifconfig eth1 0.0.0.0

Create the bridge interface.

# brctl addbr mybridge

Add interfaces to the bridge.

# brctl addif mybridge eth0

# brctl addif mybridge eth1

Put up the bridge.

# ifconfig mybridge up

This will set the host up as a pure bridge, it will not have an IP address for itself, so it can not be remotely accessed (or hacked) via TCP/IP.

Optionally you can configure the virtual interface mybridge to take part in your network. It behaves like one interface (like a normal network card). Exactly that way you configure it, replacing the previous command with something like:

# ifconfig mybridge 192.168.100.5 netmask 255.255.255.0 up