Le mar 15/04/2003 à 02:04, Dan Graham a écrit : > I'm new to the list, and I'm new to netfilter. I've just set up a > Bridge+IPtables firewall, and it seems to be working well, with one > exception. The bridge is passing EtherTalk packets, when I'd my default > FORWARD policy is DROP. So the question is , did I miss a > configuration option which would allow dropping of non-IP packets? > I'm willing to start adding non-IP filtering, but I'd rather not > duplicate previous work. For what you present, you do not seem to have only used bridge-nf patch, that allows forwarded frames contents (layer 3 and more) to get injected into Netfilter's framework in order to get filtered. Problem is this kind of filtering "only" works for layer 3 protocols that Netfilter supports. And Netfilter does not support EtherTalk. Thus, frames containing EtherTalk are free to go through. You should then consider use ebtables : http://ebtables.sourceforge.net/ ebtables is a patch that allows layer 2 filtering and sometimes a bit more depending on layer 3 protocol. You'll be able to set up filtering for your EtherTalk frames using its protocole number, based on source and destination MACs. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
