Hi,
The answer is YES. If your switches forget where a MAC address is located, they will broadcast packets for that address to all ports. This might mean that your bridge receives packets that are nor for the bridge itself, nor for any of the segments behind it. Makes firewall config building somewhat trickier (and is _especially_ important in 2.4, where you can send (spurious) RSTs and ICMP unreachables in reponse to packets with bridging). cheers, Lennert On Fri, Oct 12, 2001 at 04:12:54PM +0200, [EMAIL PROTECTED] wrote: > Hi, > > I have bridge + firewall. I noticed the following log: > > Sep 30 04:16:13 HOSTNAME kernel: Packet log: overig REJECT eth0 PROTO=17 >127.0.0.1:1027 224.0.1.2:5136 L=322 S=0x00 I=58391 F=0x0000 T=4 (#16) > > I've changed the original source in 127.0.0.1 > > This packet is little bit strange. Both machines are on other side of the wall. > Because we have a switched network this should not arrive at my networkcard. > My question is should this packet arrive at ipchains? Or should it already be > blocked at the bridge? > > > -- > Jeroen Makkinje > Department of Interfaces > DEBYE INSTITUTE - CHEMISTRY > Padualaan 8, 3584 CH UTRECHT > tel: 00-31-(0)30-253.35.08 > fax: 00-31-(0)30-253.63.50 > <http://www.chem.uu.nl/interfaces/> > _______________________________________________ > Bridge mailing list > [EMAIL PROTECTED] > http://www.math.leidenuniv.nl/mailman/listinfo/bridge -- I are sigfile disease!! All your quote are belong to us. Copy us every "sig"! _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
