On Fri, 1 Feb 2002, Lennert Buytenhek wrote:
> > On Thu, Jan 31, 2002 at 09:27:24PM -0600, Chuck Bearden wrote: > > > Jan 31 18:01:19 public09 kernel: br_host: IN=br0 OUT= >MAC=00:11:22:33:ff:ee:dd:e0:44:55:66:aa:bb:cc SRC=172.20.38.174 DST=172.20.37.9 >LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48464 DF PROTO=TCP SPT=2740 DPT=22 WINDOW=16060 >RES=0x00 SYN URGP=0 > > Jan 31 18:01:22 public09 kernel: br_host: IN=br0 OUT= >MAC=00:11:22:33:ff:ee:dd:e0:44:55:66:aa:bb:cc SRC=172.20.38.174 DST=172.20.37.9 >LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48467 DF PROTO=TCP SPT=2740 DPT=22 WINDOW=16060 >RES=0x00 SYN URGP=0 > > > > I don't see any 'PHYSIN=eth1' section in the log lines, which makes > > me suspicious. > > It would seem that the kernel you are running has not had the bridge-nf > patch applied to it. Do you see "Bridge firewalling registered" on > bootup? No, I didn't see that message when I scrolled back through the boot console. Also, /usr/doc/kernel-image-2.4.17-586tsc/README.Debian.1st.gz doesn't list bridge-nf among the two patches applied to the 2.4.17 kernel. It lists only a ReiserFS umount patch and a NFS client seekdir patch. Adrian Bunk's bridgeutils package does include a FIREWALL and FIREWALL.IPTABLES in /usr/doc/bridge-utils/, which leads me to believe that they expect that it can firewall in bridging mode. Would it be fair to conclude that the unpatched kernel 2.4.17 can do bridging firewalling but that it just can't do the filtering of packets to the bridge itself by physical interface? If so, I can easily live with that until I can compile a new kernel. I can e.g. specify untrusted addresses rather than untrusted interfaces. Thanks again for all your help. Chuck _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
