From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Cc: Mail List - Linux Advanced Routing and Traffic Control
<lartc@mailman.ds9a.nl>
Subject: [LARTC] A word about bridgeing to the wise...
Date: Wed, 13 Dec 2006 03:47:01 +0000 [thread overview]
Message-ID: <457F77B5.9060206@riverviewtech.net> (raw)
I have seen and responded to many different bridging related firewalling
questions as of late. There seems to be a common assumption that
IPTables does not and / or can not see bridged traffic. This is not the
case.
If you enable the "Bridged IP/ARP packets filtering"
(CONFIG_BRIDGE_NETFILTER) option IPTables can see and act on bridged
traffic. If this is turned on and you have a default filter:FORWARD
policy of DENY, or a catch all rule of DENY, you will need to explicitly
allow bridged traffic to be forwarded.
(excerpt from menuconfig) "Enabling this option will let arptables resp.
iptables see bridged ARP resp. IP traffic. If you want a bridging
firewall, you probably want this option enabled."
I hope this helps others avoid problems in the future.
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
WARNING: multiple messages have this Message-ID (diff)
From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Cc: Mail List - Linux Advanced Routing and Traffic Control
<lartc@mailman.ds9a.nl>
Subject: A word about bridgeing to the wise...
Date: Tue, 12 Dec 2006 21:47:01 -0600 [thread overview]
Message-ID: <457F77B5.9060206@riverviewtech.net> (raw)
I have seen and responded to many different bridging related firewalling
questions as of late. There seems to be a common assumption that
IPTables does not and / or can not see bridged traffic. This is not the
case.
If you enable the "Bridged IP/ARP packets filtering"
(CONFIG_BRIDGE_NETFILTER) option IPTables can see and act on bridged
traffic. If this is turned on and you have a default filter:FORWARD
policy of DENY, or a catch all rule of DENY, you will need to explicitly
allow bridged traffic to be forwarded.
(excerpt from menuconfig) "Enabling this option will let arptables resp.
iptables see bridged ARP resp. IP traffic. If you want a bridging
firewall, you probably want this option enabled."
I hope this helps others avoid problems in the future.
Grant. . . .
next reply other threads:[~2006-12-13 3:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-13 3:47 Grant Taylor [this message]
2006-12-13 3:47 ` A word about bridgeing to the wise Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=457F77B5.9060206@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=lartc@mailman.ds9a.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.