Re: ebtables without bridge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Michail Zhilkin a écrit :

I have no bridge interfaces at all, only one physical Ethernet card.

Is it possible to filter incoming and outgoing Layer2 traffic using ebtables in this case?

No. ebtables rules work only on bridges.

I tried to load simple rules to test ebtables firewall:

[root@space]# ebtables -P INPUT DROP
[root@space]# ebtables -P OUTPUT DROP
[root@space]# ebtables -P FORWARD DROP
[...]
All traffic should be blocked, but I can send and receive everything...
[...]
What is wrong? Are ebtables really designed for bridges only?

Yes.

If so, what cat I do?

You can create a bridge and add the ethernet interface to it.

I would like to drop all Layer2 traffic except Ethernet frames with IPv4 and ARP protocols.

May I ask why ? If you enable only IPv4 support the networking stack won't accept or send packets with ethertypes other than IPv4 and ARP.

In addition, i need only allow frames with my MAC-address (incoming and outgoing, i.e. locally generated).

An ethernet interface accepts only packets sent to its own MAC address or the broadcast address anyway, unless you set it in promiscuous mode or use some multicast.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux