Hello,
I just upgraded my firewall, I was using
bridge-nf-20010519-against-2.4.4-1.diff w/br_passthrough.c and the 2.4.4
kernel and now I am using bridge-nf-0.0.7-against-2.4.19.diff with the
2.4.19 kernel. I've noticed a changed that I can't figure out a
workaround for. In my previous setup I could match packets based on its
physical incoming/outgoing interface now it appears as if netfilter
justs sees all packets coming in/out interfaces that are in a bridge
group as just coming in/out that bridge group interface. So how can I
differentiate where packets are physically coming from? For example say
my firewall has two interfaces (both in bridge group br0) one connecting
to my router(internet) and the other to my switch(LAN). I would want to
say anything coming in the LAN interface to be ACCEPTed regardless of
STATE. Then also ACCEPT any ESTABLISHED,RELATED packets regardless of
interface. This way I would have full access to the internet. But
nothing could come in to me except that which is explicitly allowed.
But now the only way to differentiate the packets that are coming from
my lan going out to the internet, is by matching by source IP. But this
leaves me open to IP spoofing attacks from the outside since I have to
allow any packets that have a source IP of my LAN network range.
In short how do I match based on physical interface
Thanks,
Rory Case
�
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
