All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] A word about bridgeing to the wise...
@ 2006-12-13  3:47 ` Grant Taylor
  0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2006-12-13  3:47 UTC (permalink / raw)
  To: Mail List - Netfilter
  Cc: Mail List - Linux Advanced Routing and Traffic Control

I have seen and responded to many different bridging related firewalling 
questions as of late.  There seems to be a common assumption that 
IPTables does not and / or can not see bridged traffic.  This is not the 
case.

If you enable the "Bridged IP/ARP packets filtering" 
(CONFIG_BRIDGE_NETFILTER) option IPTables can see and act on bridged 
traffic.  If this is turned on and you have a default filter:FORWARD 
policy of DENY, or a catch all rule of DENY, you will need to explicitly 
allow bridged traffic to be forwarded.

(excerpt from menuconfig) "Enabling this option will let arptables resp. 
iptables see bridged ARP resp. IP traffic. If you want a bridging 
firewall, you probably want this option enabled."

I hope this helps others avoid problems in the future.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread
* A word about bridgeing to the wise...
@ 2006-12-13  3:47 ` Grant Taylor
  0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2006-12-13  3:47 UTC (permalink / raw)
  To: Mail List - Netfilter
  Cc: Mail List - Linux Advanced Routing and Traffic Control

I have seen and responded to many different bridging related firewalling 
questions as of late.  There seems to be a common assumption that 
IPTables does not and / or can not see bridged traffic.  This is not the 
case.

If you enable the "Bridged IP/ARP packets filtering" 
(CONFIG_BRIDGE_NETFILTER) option IPTables can see and act on bridged 
traffic.  If this is turned on and you have a default filter:FORWARD 
policy of DENY, or a catch all rule of DENY, you will need to explicitly 
allow bridged traffic to be forwarded.

(excerpt from menuconfig) "Enabling this option will let arptables resp. 
iptables see bridged ARP resp. IP traffic. If you want a bridging 
firewall, you probably want this option enabled."

I hope this helps others avoid problems in the future.



Grant. . . .


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-12-13  3:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-13  3:47 [LARTC] A word about bridgeing to the wise Grant Taylor
2006-12-13  3:47 ` Grant Taylor

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.