From: "riffraff" <riffraff@mail.ev1.net>
To: netfilter@lists.samba.org
Subject: Re: bridging with iptables (was no subject)
Date: Fri, 28 Jun 2002 17:39:38 -0500 [thread overview]
Message-ID: <200206281739.AA386531398@mail.ev1.net> (raw)
---------- Original Message ----------------------------------
From: Antony Stone <Antony@Soft-Solutions.co.uk>
Date: Fri, 28 Jun 2002 23:29:48 +0100
>
>In which case.... can anyone here give some advice on combining netfilter
>with a bridge (which, as Patrick kindly pointed out) doesn't have an IP
>address on *either* (any?) of its interfaces ?
>
>ie does the standard Linux routing system, and the various netfilter hooks,
>still work sensibly enough to be able to put netfilter rules onto a bridge ?
>
Yes, look at the bridge-netfilter project:
http://bridge.sourceforge.net/
I use it at work (in my lab at NASA). You can have an ip address assigned to the bridge, though. It is just assigned to the bridge interface, and not the individual interfaces that make up the bridge. Meaning, if you, say, ssh to the ip address of the bridge, it will answer on any interface, not just a specific ethernet card. You don't have to have an ip address assigned, however. I filter out all accesses to the bridge from the outside (using netfilter), and only allow ssh from the inside.
>Or is netfilter based so much around routing concepts and interfaces with
>addresses on them that it doesn't really work properly ?
>
>
>I'm sure I'll find a use for a bridge one day, so it'd be good to know
>whether I can put netfilter on it when I do.
>
>
Our main use is wanting to put a firewall in our network (upgrading from Drawbridge, which really wasn't that flexible), and we don't control the router (that is controlled by some other agency on site). We didn't want to subnet our network (losing addresses, in addition to re-engineering everything), so we put the bridge firewall up in between the router and the main switch. It is completely transparent to the users.
>
>Antony.
>
-lsd
next reply other threads:[~2002-06-28 22:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-28 22:39 riffraff [this message]
2002-06-28 22:53 ` bridging with iptables (was no subject) Antony Stone
2002-06-28 23:50 ` Martin Josefsson
2002-06-30 4:01 ` Joe Patterson
2002-06-30 7:13 ` Patrick Schaaf
2002-06-30 12:21 ` Martin Josefsson
[not found] <000901c1000a$8aaa63e0$4d2848c7@shaggy>
2002-06-28 19:48 ` (no subject) Antony Stone
2002-06-28 20:02 ` Patrick Schaaf
2002-06-28 20:00 ` Antony Stone
2002-06-28 22:22 ` bridging with iptables (was no subject) Jack Bowling
2002-06-28 22:29 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200206281739.AA386531398@mail.ev1.net \
--to=riffraff@mail.ev1.net \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.