[LARTC] ?OT? Linux 2.6: bridge + routing firewall

[LARTC] ?OT? Linux 2.6: bridge + routing firewall

[Edesio Costa e Silva]

Hi All!

I need to deploy a bridge firewall using linux kernel 2.6. I had success
using kernel 2.4 plus br-nf patch. But the configuration does not work with
kernel 2.6.

If the default policy for the iptables FORWARD chain is ACCEPT I have a
bridge. If iptables FORWARD chain is DROP I have an insulator (no packet
flows). Any hint?

I did some google search and in many places they say "kernel 2.6 is not
recommended", "no luck with kernel 2.6", etc.

Any link to a success story of a bridge firewall with kernel 2.6? Any
personal experience?

Thanks in advance,

Edésio
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] ?OT? Linux 2.6: bridge + routing firewall

[@ 2007-02-16 13:37 UTC (permalink / raw)]

I have some experience.

It seems that you should explicitely allow bridging in iptables as well
as in ebtables.

So, in addition to my bridge roules in ebtables I also have this rule in
iptables:

iptables -A FORWARD -i br0 -o br0 -j ACCEPT

Otherwise, it could block bridging by later rules or the policy.

В Чтв, 15/02/2007 в 13:44 -0200, Edesio Costa e Silva пишет:
> Hi All!
> 
> I need to deploy a bridge firewall using linux kernel 2.6. I had success
> using kernel 2.4 plus br-nf patch. But the configuration does not work with
> kernel 2.6.
> 
> If the default policy for the iptables FORWARD chain is ACCEPT I have a
> bridge. If iptables FORWARD chain is DROP I have an insulator (no packet
> flows). Any hint?
> 
> I did some google search and in many places they say "kernel 2.6 is not
> recommended", "no luck with kernel 2.6", etc.
> 
> Any link to a success story of a bridge firewall with kernel 2.6? Any
> personal experience?
> 
> Thanks in advance,
> 
> Edésio
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
-- 
Покотиленко Костик <casper@meteor.dp.ua>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] ?OT? Linux 2.6: bridge + routing firewall

[tomdeb]

What you might be interested in as well is the physdev match witch will
let you filter traffic on physical devices 


T o M

| On Fri, Feb 16, 2007 at 03:37:10PM +0200, ??????????? ?????? wrote: 
>I have some experience.
>
>It seems that you should explicitely allow bridging in iptables as well
>as in ebtables.
>
>So, in addition to my bridge roules in ebtables I also have this rule in
>iptables:
>
>iptables -A FORWARD -i br0 -o br0 -j ACCEPT
>
>Otherwise, it could block bridging by later rules or the policy.
>
>?? ??????, 15/02/2007 ?? 13:44 -0200, Edesio Costa e Silva ??????????:
>> Hi All!
>> 
>> I need to deploy a bridge firewall using linux kernel 2.6. I had success
>> using kernel 2.4 plus br-nf patch. But the configuration does not work with
>> kernel 2.6.
>> 
>> If the default policy for the iptables FORWARD chain is ACCEPT I have a
>> bridge. If iptables FORWARD chain is DROP I have an insulator (no packet
>> flows). Any hint?
>> 
>> I did some google search and in many places they say "kernel 2.6 is not
>> recommended", "no luck with kernel 2.6", etc.
>> 
>> Any link to a success story of a bridge firewall with kernel 2.6? Any
>> personal experience?
>> 
>> Thanks in advance,
>> 
>> Edésio
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>> 
>-- 
>?????????????????????? ???????????? <casper@meteor.dp.ua>
>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc