From: billycrook@gmail.com
To: Grant Taylor <gtaylor@riverviewtech.net>
Cc: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Reject on a Bridge
Date: Thu, 4 Sep 2008 11:44:37 -0500 [thread overview]
Message-ID: <a43edf1b0809040944j673af28ard764d3da1503386f@mail.gmail.com> (raw)
In-Reply-To: <48C00A5F.2080104@riverviewtech.net>
On 2008-09-04, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 09/03/08 17:41, Gilad Benjamini wrote:
>> I am using iptables to run a firewall on a bridge. The bridge
>> consists of eth1 and eth2. Neither interface, nor the bridge itself,
>> have an IP address. eth0, which is not on the bridge, does have an IP
>> address.
>>
>> Am I missing something, or is this a real problem ?
>
> I'm not sure where the rejection is going to come from. At least as I
> understand it the rejection comes from a system (with an IP) in the path
> that is refusing to pass the packet. Thus I don't see how the bridge
> can reject the packet because there is no source IP to send the
> rejection from. Can you add an IP to the bridge interface that is with
> in the subnet that is being bridged through it so that there is a source
> IP for the rejection?
That does make it pretty clear. Rejecting an IP packet is done with
another IP packet. Packets have to come from a layer-3 interface, of
a machine with an IP, so it doesn't make sense that an interface
that's not participating in IP itself could send a
ICMP-host-prohibited message if it doesn't have an IP from which to
send the message.
I understand you want to reject with an RST packet, but that packet
still has to come from somewhere. It sounds like you want the rule to
fabricate an RST packet from the intended recipient of whatever you're
blocking. I doubt the kernel will send any packets (let alone forged
ones) from an interface where IP is not bound.
Perhaps an easier solution would be to just DROP the unwanted traffic,
rather than REJECT.
next prev parent reply other threads:[~2008-09-04 16:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-03 22:41 Reject on a Bridge Gilad Benjamini
2008-09-04 16:18 ` Grant Taylor
2008-09-04 16:44 ` billycrook [this message]
2008-09-15 8:03 ` Gilad Benjamini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a43edf1b0809040944j673af28ard764d3da1503386f@mail.gmail.com \
--to=billycrook@gmail.com \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox