Hello,everyone.
I read a article about iptables with bridge recently .the article is
http://bridge.sourceforge.net/docs/bridge-firewall.html
and I have a question about a iptables rules "iptables -A FORWARD -i eth0 -o eth1 -j
REJECT --reject-with tcp-reset " in this article .
Author think that the rule will stop the connection between two PCs at the same
side of the Bridge Firewall if they want to setup a connection ,because when they are
trying to find eachother's postion in the LAN the Packet they sent will be sent every
port of Bridge,and this PACKET will match the iptables rule,so the PACKET will
DROP,and connection will STOP!
I think the Procedure of address searching of PCs connected to the bridge is
sending FRAME ,Not PACKET ,so iptalbes will not see this FRAME,so this rule will not
make that outcome at all, am I right?
And this is some text about this question in the article:
+----------+ eth0+----------+eth1
internet ----+ upstream +-------+---------+-------+ bridge +--------+
| router | | | + firewall + |
+----------+ host A host B +----------+ host C
Consider the above setup. Say that hosts A and B are talking to eachother, but haven't
said anything for a while, say 10 minutes. Since it is more than 5 minutes ago that A
and B said something, their ethernet addresses will have timed out and not be in any
address table any longer. So if A or B decides to resume the conversation by sending a
packet, that packet will have to be flooded.
So, say A decides to send a packet to B after B's address has timed out. Even though
the packet is not destined to host C, the flooding process within the bridge
firewall's bridging module will queue a copy of the packet for transmission on C's
segment. And this is exactly where the problem lies. The packet from A to B that is
also sent to the bridge firewall's eth1 interface will match the rule:
# iptables -A FORWARD -i eth0 -o eth1 -j REJECT --reject-with tcp-reset
and therefore, the firewall will send a RST packet which will abort the connection
between A and B. This is certainly not what you had intended, and what's worse, this
spurious aborting will seem to happen randomly.
begin 600 FACE-6.GIF
M1TE&.#EA([EMAIL PROTECTED]/?8`/______S/__F?__9O__,___`/_,___,S/_,F?_,9O_,
M,__,`/^9__^9S/^9F?^99O^9,_^9`/]F__]FS/]FF?]F9O]F,_]F`/\S__\S
MS/\SF?\S9O\S,_\S`/\`__\`S/\`F?\`9O\`,_\``,S__\S_S,S_F<S_9LS_
M,\S_`,S,_\S,S,S,F<S,9LS,,\S,`,R9_\R9S,R9F<R99LR9,\R9`,QF_\QF
MS,QFF<QF9LQF,\QF`,PS_\PSS,PSF<PS9LPS,\PS`,P`_\P`S,P`F<P`9LP`
M,\P``)G__YG_S)G_F9G_9IG_,YG_`)G,_YG,S)G,F9G,9IG,,YG,`)F9_YF9
MS)F9F9F99IF9,YF9`)EF_YEFS)EFF9EF9IEF,YEF`)DS_YDSS)DSF9DS9IDS
M,YDS`)D`_YD`S)D`F9D`9ID`,YD``&;__V;_S&;_F6;_9F;_,V;_`&;,_V;,
MS&;,F6;,9F;,,V;,`&:9_V:9S&:9F6:99F:9,V:9`&9F_V9FS&9FF69F9F9F
M,V9F`&8S_V8SS&8SF68S9F8S,V8S`&8`_V8`S&8`F68`9F8`,V8``#/__S/_
MS#/_F3/_9C/_,S/_`#/,_S/,S#/,F3/,9C/,,S/,`#.9_S.9S#.9F3.99C.9
M,S.9`#-F_S-FS#-FF3-F9C-F,S-F`#,S_S,SS#,SF3,S9C,S,S,S`#,`_S,`
MS#,`F3,`9C,`,S,[EMAIL PROTECTED],P#_``#,_P#,S`#,F0#,[EMAIL PROTECTED],
M,P#,``"9_P"9S`"9F0"99@"9,P"[EMAIL PROTECTED],P!F```S_P`S
[EMAIL PROTECTED],[EMAIL PROTECTED],P```/___P``````````````
M````````````````````````````````````````````````````````````
M````````````````````````````````````````````````````````````
M`````````````````````"'_"TY%5%-#05!%,BXP`P$````A^00%'@#8`"P`
M````([EMAIL PROTECTED]([EMAIL PROTECTED]@3'A3($(#"AP8?&21HL"%%B`HOSDHH$./#
M1!O+/-IXL6!)D0=/HB09,B1$C1-GM00YRPO(1RH/SBPXZY&7&[EMAIL PROTECTED]
M!#-`FDPHM&>BD0BB!DWT,VJ9J$AMHD0X<I;1HUC#BL5J--$UB0BI`HU:U,O8
MMST[IOUI4Z;7&6.+XHTJ5*Y.O8#S(D+D].<LAF:O&=R+P.8C1(R10M;+UII%
MK52C$ETQBT58O5Y"NT60J.'`I"(9VVPU6G-1%C6QEK9XP&9KI$7%)LJ:F;3I
[EMAIL PROTECTED]>21GY+^NULVKF)*Y?]>R#1Y6%WZVXN?7GUZLRI#Q>;-)'WL<=_/TB'3CR\
M::+;R9O_7>8V6YO>U49OWK#,>/*:Z9MN_Q:H>]_Z,735?^4%:)%4ZAEXH%38
M3:<@8KHU"."#`DE(6GSQ4>@<?A?J%Q``(?D$!1X`V``L"``)`!0`!P``"#8`
ML0D4B`#!P(,(!\Z:E;#AP$0)[EMAIL PROTECTED]&)U8DB.UB1(L'O6#S(G)C2)$B
*#Q;,B'`ERX``.\
`
end
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
