I have been using the bridge code with success to bridge and filter packets. However, the bridge interface, itself, seems to have difficulty being a network interface for the bridge machine. For example, it's possible to SSH into one of the interfaces on the machine, but not the other! 
 
My configuration is:
 
                (xxx.yy.110.17)          +++++++++++++++++               +------ xxx.yy.110.26
                                         +               +               |        
<external net> -----[ROUTER]------------>+ eth1     eth0 +<--------------+------ xxx.yy.110.27
                                         +               +               |
                                         +      (br0)    +               +------ xxx.yy.110.29
                                         +++++++++++++++++               |
                                                                         +------ xxx.yy.110.28     
 
When the machine (br0) comes up, it only has eth0 up, with an address of xxx.yy.110.20. My script to bring up the bridge is as follows:
echo -n "Removing previous bridge:"
# remove old bridge if possible...
/sbin/ifconfig br0 down
/usr/local/sbin/brctl delif br0 eth0
/usr/local/sbin/brctl delif br0 eth1
/usr/local/sbin/brctl delbr br0
# put it back up!
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
/usr/local/sbin/brctl addbr br0
/usr/local/sbin/brctl show
/usr/local/sbin/brctl addif br0 eth0
/usr/local/sbin/brctl addif br0 eth1
/sbin/ifconfig br0 xxx.yy.110.20 netmask xxx.255.255.240
ifconfig br0 down
#
route add default gw xxx.yy.110.17
#
echo -n "putting in firewall rules"
# todo - catch the return code from this next command, don't bring up the interface if it failed.
sh -x /etc/sysconfig/put_in_firewall
ifconfig br0 up
 
With or without the firewall rules in, I can SSH into xxx.yy.110.20 from the INTERNAL network (eth0), but not from the external network (eth1). I can ping machines on our internal network from OUTSIDE the network. I cannot ping the xxx.yy.110.20 machine from outside the network. 
 
using tcpdump, I can see packets coming into eth1 for xxx.yy.110.20 from outside (tcpdump -i eth1 ip proto \\icmp) . I don't however see any replies from xxx.yy.110.20. 
 
Has anyone else encountered this, or know of a workaround?
 
thanks,
 
 
 
 

Reply via email to