On 8/1/2007 5:44 PM, Pawel Zawora wrote:
Stupid question: Is it possible to filter packet based on src or
dst IP? or using TCP state (contrack, port, flags)
Yes, you can filter based on port. To do connection state filtering I
think you will need to use IPTables. With the Bridged IP/ARP Netfilter
code you can use all of IPTables features on layer 2 in the bridge and
not have to worry about crossing subnets.
Yes, It it so complex
Indeed, probably too complex.
I have one "big" subnet (assume 1.1.1.0/24) now I want remove 3
machines (1.1.1.98 - 100) to separete "small" subnet "small" subnet:
It is enough to change subnet size to /29 and define new default gw
router - I need to create 1 additional routing table that will send
data to my smal subnet based on dst address "big" subnet - I have to
told *each* machine: send packet to GW even 1.1.1.98... seems be in
local network.
Again, I'm a bit confused as to whether or not you want the machines you
are moving to a different network to be able to communicate with the
machines that are staying on the big network or not. Let me ask it a
different way, what is your reasoning / motivation for moving the
machines in question to a different network?
Similarly thinks are done in DR (in this case I dont need to create
extra routing rules ) But probably I cannot use DR mechanism in my
situation...
Again, will you please try to explain more of your situation (if you
can) as to what you have now and what you are wanting to achieve and why
you are going that route. In other words, what is your original problem
/ desire?
After this I can create any iptables rules on the router..........
Yes. The bridge is as much a real interface as any ppp interface, so
you can do just about any thing you want to with it.
Thank you for explanation
You are welcome.
Probably bridging is easiest way to solve my problem....
Probably. Though I can not say for sure with out knowing more about
your situation. I keep asking, because bridging is a very good solution
in a lot of situations, but what you do with it is how you tune the
bridging setup to your environment.
Does snort work correctly on brigde server?
I see no reason why it would not. I have successfully ran any and all
utilities against a bridge interface with out a problem. TCPDump, DHCP,
any web server / dns server / mail server, just about any thing. The
only draw back that I see with using a bridge for Snort is that you
can't physically cut the transmit line so you have to use the no arp
methods to stop arp replies.
What is the best way to trace and log tcp connections in that
scenario?
Probably the same thing that you are doing now. TCPDump, Snort should
work, libpcap, you name it.
Thank you
You are welcome.
Grant. . . .
P.S. If you would be more comfortable discussing details off of news
group just drop me a line.
