you need to insert the firewall code into the kernel: insmod br_passthrough
----- Original Message ----- From: "EGIS Rt. SZTO" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 22, 2001 8:04 AM Subject: [Bridge] Firewall is not functioning on bridge > Hi Everyone! > > I'm in trouble with bridge firewalling. If anyone could help me please do > it! > > Note: I'm not on the mailing list so please answer me this address (too): > [EMAIL PROTECTED] > > I have the following config: > - PC with two SMC 1211 TX card > - 2.4.13 kernel patched by 2.4.13-ac7 and bridge-nf-0.0.3 (newest version at > now) > - Ether card driver is compiled as a module, called 8139too.o > - netfilter and iptables are enabled of course (at bridge too) > > I tried to set up the bridge as following: > > # ifconfig eth0 up > (Nov 22 16:14:30 localhost kernel: eth0: Setting 100mbps full-duplex > based on auto-negotiated partner ability 45e1.) > # ifconfig eth1 up > (Nov 22 16:14:30 localhost kernel: eth1: Setting 100mbps full-duplex > based on auto-negotiated partner ability 45e1.) > # brctl addbr br > # brctl addif br eth0 > (Nov 22 16:15:06 localhost modprobe: modprobe: Can't locate module > net-pf-10 > Nov 22 16:15:06 localhost kernel: eth0: Promiscuous mode enabled. > Nov 22 16:15:06 localhost kernel: device eth0 entered promiscuous mode) > [If I typed 'ifconfig' at this point I noticed that PROMISC was _NOT_ set on > the interface!!!] > brctl addif br eth1 > (Nov 22 16:15:06 localhost modprobe: modprobe: Can't locate module > net-pf-10 > Nov 22 16:15:06 localhost kernel: eth1: Promiscuous mode enabled. > Nov 22 16:15:06 localhost kernel: device eth1 entered promiscuous mode) > [This iface was not gone to PROMISC mode too] > [At here I set both ifaces to promiscous mode by hand] > # ifconfig eth0 promisc > (Nov 22 16:17:01 localhost kernel: eth0: Promiscuous mode enabled.) > # ifconfig eth1 promisc > (Nov 22 16:17:01 localhost kernel: eth1: Promiscuous mode enabled.) > [Both ifaces are gone to PROMISC right] > # ifconfig br up > (Nov 22 16:17:55 localhost kernel: br: port 2(eth1) entering listening > state > Nov 22 16:17:55 localhost kernel: br: port 1(eth0) entering listening > state > Nov 22 16:18:10 localhost kernel: br: port 2(eth1) entering learning > state > Nov 22 16:18:10 localhost kernel: br: port 1(eth0) entering learning > state > Nov 22 16:18:25 localhost kernel: br: port 2(eth1) entering forwarding > state > Nov 22 16:18:25 localhost kernel: br: topology change detected, sending > tcn bpdu > Nov 22 16:18:25 localhost kernel: br: port 1(eth0) entering forwarding > state > Nov 22 16:18:25 localhost kernel: br: topology change detected) > [Bridge is worked fine at this point! Eg. ping received responses.] > # iptables -N br > # iptables -A br -p icmp -j DROP > > MAIN PROBLEM: After above ping received responses anyway!! > I tried to set other matches but noone is blocked any packets. > I've noticed the 'missing net-pf-10' log line but I don't know what it is. > I'm sure, packet filtering was enabled at compilation. > Everything is compiled in into the kernel except net driver module. > > Is anyone know what did I wrong? > Thanx for help! > > > > > _______________________________________________ > Bridge mailing list > [EMAIL PROTECTED] > http://www.math.leidenuniv.nl/mailman/listinfo/bridge _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
