On Tue, Sep 11, 2001 at 03:51:18PM -0500, Cannon, Mike R. wrote:
> This is a 2.4.9 kernel without any kernel patches, do I need any?
Yup. You need patches that couple the bridge stuff to the netfilter stuff.
You can find the current 'snapshot' at:
http://bridge.sf.net/devel/bridge-nf/20010907-2/
> /sbin/ifconfig vmnet1 128.210.101.246 #vmware required me to give it a real
> IP 0.0.0.0 would not work?
I'm sure 0.0.0.0 would work fine, as long as you assign the IP to the br0
device. That is, if VMware doesn't have a silly check for this.
> I am still using IPChains - my script is to long to easily convert to
> iptables.
I've found that ipchains scripts tend to be longer than iptables scripts. On
our main router, the ipchains script is 16kb. We switched the machine to 2.4
recently (mainly in order to use connection tracking, but also NAT and IPv6),
and the corresponding iptables script is 7kb.
> Using just a basic IPChains script to block everything:
> /sbin/ipchains -F
> /sbin/ipchains -P input DENY
> /sbin/ipchains -P output REJECT
> /sbin/ipchains -P forward REJECT
>
>
>
> This stop all traffic to and from BR0 128.210.101.245 and vmnet1
> 128.210.101.246 but not to a virtual computer running within vmware with IP
> 128.210.101.247.
Yup. The 2.4.x vanilla kernels do not perform filtering on forwarding between
bridge interfaces, only on forwarding to/from the host.
> So to recap I have the bridge working but not the firewalling behind the
> bridge. Do I need to use iptables instead of ipchains?
There is an odd chance that ipchains might work if you apply the
bridge-netfilter patches. In fact, I don't see a reason why it wouldn't.
cheers,
Lennert
--
I are sigfile disease!!
All your quote are belong to us.
Copy us every "sig"!
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
