On Mon, Dec 03, 2001 at 03:34:15PM +0100, RoMaNSoFt wrote: > 1) I've set up a two-ports bridge named "br0". I've done some fast > tests. I can filtering by eth0, eth1 and br0 but I haven't got clear > which chains could I use with the various interfaces. I think bridge's > faq said that currently only the forward chain would work > but it seems > other chains also work (input, eg). Is somebody so kind to talk about > this issue?
All chains etc works fine, INPUT/OUTPUT chain is only for the HOST ie in/out traffick from br0. the FORWARD chains is the one you should use to filter the traffic through the bridge. I've just setup one FW with this cfg and it works utterly fine! :) > 2) Another Q: since I only want to use this machine as firewall does > it make sense to filtering by using the br0 device? I mean, perhaps > it's faster and more reliable to filter basing on eth0 and eth1 > devices, isn't it? Some tips about this issue? If you use bridgeing, you should care about eth0/eth1 etc only the devices you setup yourself, ie br0 etc. If you use eth0/eth1 then your back to do the routing stuff and youll need to reconfigure machines behind the FW. > 3) Has someone tried to benchmark a machine like this? (fw based on > linux+bridge+iptables). For instance, which processor and amount of > memory could it be necessary to reach a 100 MB/s throughtput with a > x86 machine? I dont know if my cfg is overkill, I got a AMD 1500+ (1333MHz) with 2 Intel Ethernet Pro 100, in next week Ill put where it should be and I can give some benchmarking info. The speed is depending on the amount of rules, small effecting rules is the best... but putting in 60K+ rules or something just might slow it all down... When i tried with my test computer (just bridgeing 1 in testing) i got 11MB/s trough the bridge without any problems. Regards H�kan _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
