I'm using a bridge and want to use firewalling on that. As it stands, without etables, it looks like iptables filtering can only be done on the FORWARD chain. I, however, need to use direction on interfaces and states to do a proper filtering job. I read thro' what ebtables had to offer.
I am looking for a confirmation that ebtables syntax is identical to iptables syntax. If so, I can rewrite my script generator to use iptables if it is a router and ebtables if it is a bridge. **Clarification** all iptables syntax will work in ebtables (vice versa not mandatory). http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html#sec tion2 <snip> When an NIC enslaved to a bridge receives a frame, the frame will first go through the BROUTING chain. In this special chain you can choose whether to route or bridge frames, enabling you to make a brouter. The definitions found on the Internet for what a brouter actually is differ a bit. The next definition describes the brouting ability using the BROUTING chain quite well: A brouter is a device which bridges some frames/packets (i.e. forwards based on Link layer information) and routes other frames/packets (i.e. forwards based on Network layer information). The bridge/route decision is based on configuration information. A brouter can be used, for example, to act as a normal router for IP traffic between 2 networks, while bridging specific traffic (NetBEUI, ARP, whatever) between those networks. The IP routing table does not use the bridge logical device and the box has IP addresses assigned to the physical network devices that also happen to be bridge ports (bridge enslaved NICs). The default decision in the BROUTING chain is bridging. </snip> <snip> Making a brouter: Here is an example setup for a brouter with following situation: br0 with ports eth0 and eth1 ifconfig br0 0.0.0.0 ifconfig eth0 172.16.1.1 netmask 255.255.255.0 ifconfig eth1 172.16.2.1 netmask 255.255.255.0 ebtables -t broute -A BROUTING -p ipv4 -i eth0 --ip-dst 172.16.1.1 -j DROP ebtables -t broute -A BROUTING -p ipv4 -i eth1 --ip-dst 172.16.2.1 -j DROP ebtables -t broute -A BROUTING -p arp -i eth0 -d $MAC_OF_ETH0 -j DROP ebtables -t broute -A BROUTING -p arp -i eth1 -d $MAC_OF_ETH1 -j DROP As mentioned in the man pages, the DROP target in the BROUTING chain actually tells the network code to route the frame instead of bridging it. </snip> Bye S Mohan _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
