Jonathan Tripathy a écrit : >> >> So, do you think I should just have my second rule then? The thing is >> though, is that bridges are know to "broadcast" all traffic everywhere >> for a few seconds when their configuration changes. I don't really >> want this to happen. Can you please help me with some rules to prevent >> yet, and also stop spoofing? >> > How about something like this: > > /usr/local/sbin/ebtables -N OUT > /usr/local/sbin/ebtables -P OUT DROP > /usr/local/sbin/ebtables -I OUT -o "$vif" -d "$mac" -j ACCEPT > /usr/local/sbin/ebtables -I OUT -p ARP -o "$vif" -j ACCEPT > > /usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j OUT > > Woudn't that work nicely? I guess so, except for IPv6 NDP (see below). Note that you don't need a separate ARP rule for each port. > That is, stop source address spoofing, as well > as make sure that outgoing traffic is set for the correct MAC address.. > I appreciate that my above rules would block all multicast/broadcast > traffic (except ARP), however since this is in a hosting environment, > that's probably ok isn't it? NDP uses multicast and will break if you drop all multicast. You can however accept only the multicast addresses the host listens to (see my first reply for how to get the list). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
