On Fri, Feb 01, 2002 at 10:20:52AM -0600, Chuck Bearden wrote: > > > Jan 31 18:01:19 public09 kernel: br_host: IN=br0 OUT= >MAC=00:11:22:33:ff:ee:dd:e0:44:55:66:aa:bb:cc SRC=172.20.38.174 DST=172.20.37.9 >LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48464 DF PROTO=TCP SPT=2740 DPT=22 WINDOW=16060 >RES=0x00 SYN URGP=0 > > > Jan 31 18:01:22 public09 kernel: br_host: IN=br0 OUT= >MAC=00:11:22:33:ff:ee:dd:e0:44:55:66:aa:bb:cc SRC=172.20.38.174 DST=172.20.37.9 >LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48467 DF PROTO=TCP SPT=2740 DPT=22 WINDOW=16060 >RES=0x00 SYN URGP=0 > > > > > > I don't see any 'PHYSIN=eth1' section in the log lines, which makes > > > me suspicious. > > > > It would seem that the kernel you are running has not had the bridge-nf > > patch applied to it. Do you see "Bridge firewalling registered" on > > bootup? > > No, I didn't see that message when I scrolled back through the boot > console. Also, /usr/doc/kernel-image-2.4.17-586tsc/README.Debian.1st.gz > doesn't list bridge-nf among the two patches applied to the 2.4.17 > kernel. It lists only a ReiserFS umount patch and a NFS client > seekdir patch.
So.. you're not using the firewall patch for the kernel. The bridge firewalling code lives in the kernel, and not in userspace. > Adrian Bunk's bridgeutils package does include a FIREWALL and > FIREWALL.IPTABLES in /usr/doc/bridge-utils/, which leads me to > believe that they expect that it can firewall in bridging mode. Nope. You _do_ need the patch. > Would it be fair to conclude that the unpatched kernel 2.4.17 can do > bridging firewalling but that it just can't do the filtering of > packets to the bridge itself by physical interface? No. You can't do FORWARD firealling without the patch at all. cheers, Lennert _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
