NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

A word about bridgeing to the wise...

from [Grant Taylor] [Permanent Link][Original]
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: A word about bridgeing to the wise...
From: Grant Taylor <gtaylor@riverviewtech.net>
Date: Tue, 12 Dec 2006 21:47:01 -0600
Cc: Mail List - Linux Advanced Routing and Traffic Control <lartc@mailman.ds9a.nl>
Delivered-to: sp-com-lists@consult.net
Delivered-to: netfilter-list1@securepoint.com
List-archive: </pipermail/netfilter>
List-help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id: General discussion and user questions <netfilter.lists.netfilter.org>
List-post: <mailto:netfilter@lists.netfilter.org>
List-subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Sender: netfilter-bounces@lists.netfilter.org
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.8) Gecko/20061025 Thunderbird/1.5.0.8 Mnenhy/0.7.4.666
I have seen and responded to many different bridging related firewalling questions as of late. There seems to be a common assumption that IPTables does not and / or can not see bridged traffic. This is not the case.
If you enable the "Bridged IP/ARP packets filtering" (CONFIG_BRIDGE_NETFILTER) option IPTables can see and act on bridged traffic. If this is turned on and you have a default filter:FORWARD policy of DENY, or a catch all rule of DENY, you will need to explicitly allow bridged traffic to be forwarded.
(excerpt from menuconfig) "Enabling this option will let arptables resp. iptables see bridged ARP resp. IP traffic. If you want a bridging firewall, you probably want this option enabled." 

I hope this helps others avoid problems in the future.



Grant. . . .
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • A word about bridgeing to the wise..., Grant Taylor <=
Previous by Date:  Re: problem with (incorrectly?) INVALID packets, Grant Taylor
Next by Date:  require netfilter time patch for 2.6.18.3 kernel ... mine not works : time match: invalid size 0 != 16, Sébastien CRAMATTE
Previous by Thread:  problem with (incorrectly?) INVALID packets, Mike Williams
Next by Thread:  require netfilter time patch for 2.6.18.3 kernel ... mine not works : time match: invalid size 0 != 16, Sébastien CRAMATTE
Indexes:  [Date] [Thread] [Top] [All Lists]