----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "Marian Jancar" <[EMAIL PROTECTED]>
Cc: "Bart De Schuymer" <[EMAIL PROTECTED]>; "Drew Einhorn"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, August 31, 2001 5:06 PM
Subject: Re: [Bridge] Make 2.4.7 bridge-netfilter work
> On Fri, 31 Aug 2001, Marian Jancar wrote:
>
> >
> > [EMAIL PROTECTED] wrote:
> >
> > > On Wed, 29 Aug 2001, Bart De Schuymer wrote:
> > >
> > > I've got my kernel built. The bridge is bridging. But packets are
> > > getting past my filters. To simplify things I got rid of all my user
> > > defined chains and rules. Set the policy for INPUT, OUTPUT, and
FORWARD
> > > to DROP. But I can still ping thru the bridge.
> >
> >
> > ...
> >
> > > I did have to assign an ip number to br0 to get the bridge to
> > > work. And I did have to add some iptables rules to be able to
> > > ssh to the firewall via the br0 interface. So we have an odd
> > > mix of things that are and are not working.
Could you make 3 logging rules: in front and after the rule for all packets.
in front the rule with the same rule except the target = LOG?
Are you sure it's ip traffic that your bridge forwards?
> >
> >
> > Bridged packets are checked aganist prerouting and postrouting in 2.4,
input
> > etc. are only for ip I guess, while bridging is raw ethernet.
> >
>
> Thought I saw a message that said bridged packets were checked against
> FORWARD. That's where I had the rules I expected to be checked. Is that
> a coming attraction or did I just read it wrong.
bridged packets are filtered at the FORWARD chain.
packets for the local bridge machine are filtered in INPUT, packets
originating from the machine are filtered in OUTPUT.
>
> In the context of iptables with bridging what's the difference between
> PREROUTING and POSTROUTING when we don't do any routing?
if you would filter in PREROUTING (using the nat table I think you can
actually do that with iptables), you would be filtering on all packets that
come into the bridge, so both the packets that will go to the FORWARD chain
as those that will go to the INPUT chain.
Filtering in POSTROUTING will filter all packets that will leave the box, so
those coming from FORWARD and those coming from OUTPUT.
>
> Thanks,
>
> I was going to extract a fresh copy of the source and reapply the patches.
> But that's probably "barking up the wrong tree".
If you didn't start from a fresh kernel source to apply these patches,
trying so now wouldn't be such a bad idea, I think...
>
>
>
>
>
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
