|
Hello, I
just upgraded my firewall, I was using bridge-nf-20010519-against-2.4.4-1.diff
w/br_passthrough.c and the 2.4.4 kernel and now I am
using bridge-nf-0.0.7-against-2.4.19.diff with the 2.4.19 kernel. I’ve noticed a changed that I can’t
figure out a workaround for. In my
previous setup I could match packets based on its physical incoming/outgoing
interface now it appears as if netfilter justs sees all packets coming in/out interfaces that are in
a bridge group as just coming in/out that bridge group interface. So how can I differentiate where packets
are physically coming from? For
example say my firewall has two interfaces (both in bridge group br0) one
connecting to my router(internet) and the other to my
switch(LAN). I would want to say
anything coming in the LAN interface to be ACCEPTed regardless
of STATE. Then also ACCEPT any
ESTABLISHED,RELATED packets regardless of interface. This way I would have full access to the
internet. But nothing could come in
to me except that which is explicitly allowed. But now the only way to differentiate
the packets that are coming from my lan
going out to the internet, is by matching by source IP. But this leaves me open to IP spoofing
attacks from the outside since I have to allow any packets that have a source IP
of my LAN network range. In short how do I match based on physical interface Thanks, David Harris |
