Hello,
Michail Zhilkin a écrit :
I have no bridge interfaces at all, only one physical Ethernet card.
Is it possible to filter incoming and outgoing Layer2 traffic using
ebtables in this case?
No. ebtables rules work only on bridges.
I tried to load simple rules to test ebtables firewall:
[root@space]# ebtables -P INPUT DROP
[root@space]# ebtables -P OUTPUT DROP
[root@space]# ebtables -P FORWARD DROP
[...]
All traffic should be blocked, but I can send and receive everything...
[...]
What is wrong? Are ebtables really designed for bridges only?
Yes.
If so, what cat I do?
You can create a bridge and add the ethernet interface to it.
I would like to drop all Layer2 traffic except Ethernet frames with IPv4
and ARP protocols.
May I ask why ? If you enable only IPv4 support the networking stack
won't accept or send packets with ethertypes other than IPv4 and ARP.
In addition, i need only allow frames with my
MAC-address (incoming and outgoing, i.e. locally generated).
An ethernet interface accepts only packets sent to its own MAC address
or the broadcast address anyway, unless you set it in promiscuous mode
or use some multicast.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
