> Although I'm not sure how well EBTables would be able > to filter addresses on a raw interface verses on the > bridge interface. I ran some tests and it seemed to work. Here is a little test script: #!/bin/sh /firewall-scripts/allow-all EBTABLES="/usr/local/sbin/ebtables" IPTABLES="/sbin/iptables" $EBTABLES -F $EBTABLES -A INPUT -i eth0 -j DROP $EBTABLES -A INPUT -i eth1 -j ACCEPT $EBTABLES -A INPUT -i eth2 -j ACCEPT #$IPTABLES -A FORWARD -i eth0 -j DROP #$IPTABLES -A FORWARD -i eth1 -j ACCEPT #$IPTABLES -A FORWARD -i eth2 -j ACCEPT #$IPTABLES -A INPUT -i eth0 -j DROP #$IPTABLES -A INPUT -i eth1 -j ACCEPT #$IPTABLES -A INPUT -i eth2 -j ACCEPT [root@IXFactor-fw gregs]# The IP Address for br0 is 1.2.3.2. I setup a system at 1.2.3.1 and had it ping 1.2.3.2. Everything behaved as expected. With bridging turned on, none of the iptables rules made any difference, so I commented them out. With the cable plugged into eth0, none of the pings replied. Tcpdump on the 1.2.3.2 box didn't even show anything coming into br0. Connecting to eth1 or eth2, pings replied and tcpdump showed the ICMP going back and forth on br0. Setting br0 to 1.2.3.2 and eth1 to 10.0.0.1, my external host could ping both IP Addresses when I fudged in appropriate routes on my test system. Here are a couple of my challenges. I want to block anything coming in from the Internet claiming to come from 10/8, or 172.16/12 or 192.168/16. But anything from these address blocks from any trusted eth-- interface should be OK. Easy to do with pure routing, seems a little more challenging with bridging. I think I can whip up some rules, but they depend on ebtables filtering by physical eth-- port. I have a public /24 block, call it 1.2.3.nnn. Some of these are on eth0, some on eth1, a few others on eth2. Bridging seems to handle this nicely. eth0 faces the Internet. I am a little nervous in packaging all this. Let's say something goes haywire in startup, before I run the brctl stuff. Or let's say something bad happens and bridging goes haywire. If eth0 has no IP Address, I have no remote access to the box. So I'd like to at least give an IP Address to eth0. This seems to work, but like I said, it's not documented to work. It just hit me what's bugging me - it bugs me to give an IP Address to a logical device and cut off any kind of fallback access to the physical device. Maybe I'm looking for trouble that's not there and creating problems I don't need just because bridging is so new in my little world. I wonder what others have done in this situation? And then there's my PPTP clients. I give these guys a 10.0.0.xxx IP Address with a gateway of 10.0.0.1. This was all part of the eth1 LAN when it was a pure router. I suppose in this bridging setup, I could make 10.0.0.1 an alias for br0 and leave eth1 with no IP Address. This just takes a little getting used to I guess. - Greg _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
