On Tuesday 08 April 2003 07:35 am, Scott MacKay wrote: > Hello all! 2 quick questions, if I could. > It looks like the bridge + firewall solution of choice > for the 2.4 kernel is ebtables > (http://ebtables.sourceforce.net). The only thing I > want to do with the bridge + firewalls is get my > physical device; I don't need to play with rules based > on ethernet header. Does anyone know if I need both > the ebtables and bridge-nf patches or can I just use > the bridge-nf? I've successfully implemented a stateful firewall on a bridge with 2.4.x kernel and iptables, just using the br-nf patch. I match to both incoming interface ('real' ethernet interface, not the br0 device) and IPs, and usually portnums and conntrack state. > Since it is all integrated in the 2.5 kernel, does > anyone know how stable that is (yeah, beta) or > thoughts when it may leave the beta state? So far my only foray with 2.5 (two weeks ago, latest at the time which was 2.5.6x) hosed my MBR and /etc/fstab. I want to try again, but am waiting until my test machine is available for the purpose. (hardware/software on that machine changes almost daily) > Also, in the whole iptables chain order of things, > when is conn tracking performed? The actual tracking of connections is started as soon as the packets present at an interface. Certainly the conntrack state is already determined when the packet reaches mangle->PREROUTING, the first possible chain, so it's handled when netfilter first sees the packet. > Thanks in advance for any help with the myrid of > questions!!! > -Scott j
