Am Samstag, 18. August 2007 09:53:58 schrieb Sebastian Palarus: > Am Freitag, den 17.08.2007, 19:08 +0200 schrieb Ralph Passgang: > > Am Donnerstag, 16. August 2007 16:48:25 schrieb Sebastian Palarus: > > > Hi all, > > > > > > I try to filter the traffic between wan and lan ports over a bridge, > > > but it doesn't work. Here my config > > > > > > FreeWRT 1.03 (download @ http://wib.freewrt.org) > > > Linksys WRT54GL > > > > > > ----/etc/network/interface > > > # LAN ports > > > auto eth0.0 > > > iface eth0.0 inet manual > > > switch-ports 0 1 2 3 5* > > > > > > > > > # WAN port > > > auto eth0.1 > > > iface eth0.1 inet manual > > > switch-ports 4 5 > > > ---- > > > > > > ----/etc/fw/setbridge.sh > > > /usr/sbin/brctl addbr br0 > > > /usr/sbin/brctl addif br0 eth0.0 > > > /usr/sbin/brctl addif br0 eth0.1 > > > /bin/ip link set eth0.0 up > > > /bin/ip link set eth0.1 up > > > /bin/ip link set br0 up > > > /bin/ip link show > > > ---- > > > > > > -the bridge works fine, but nothing is blocked > > > -tcpdump -i br0 shows all packets > > > -iptables doesn't know -m physdev > > > > > > What's the problem? netfilter (missing patch) ? nic-driver? > > > > Normally ebtables is used for filtering a bridge, but I don't get the > > reason why you need a bridge at all?!? > > > > Just try this: > > > > # LAN + WAN ports > > auto eth0.0 > > iface eth0.0 inet static > > switch-ports 0 1 2 3 4 5* > > address <your-ip> > > netmask <your-netmask> > > broadcast + > > gateway <your gateway> > > > > You can put the wan port in the same vlan as the lan ports, so the > > internal switch will be used and you don't need the bridge. > > > > a multiport-bridge is technically exactly a switch. > > > > and even if you want the bridge anyways, why not configure it in your > > interface file... something like this should work: > > > > auto br0 > > iface br0 inet static > > bridge-ifaces eth0.0 eth0.1 > > address <your-ip> > > netmask <your-netmask> > > broadcast + > > gateway <your gateway> > > > > regards, > > Ralph > > Hi, > > I want to protect some hosts, but in this networksegment I can't change > the networkconfiguration. So I can't add a routing firewall and I need a > bridge. > Yesterday i tried kamikaze, but the filtering over a bridge did not work > and iptables did not know -m physdev too. > > I don't need ebtables, because ebtables filter non-ip-packets.
a bridge is working on the second layer, when you want to protect your hosts in every aspect, you will need ebtables (think of mac spoofing for example). for ip related stuff only, iptables is enough of course. > But now I have a big problem. Accidental I enter 'vi <binfile>'. > Kamikaze answered with SegFaut and now the Router don't want boot > anymore . Next week I want try to rescue the router over serial (JP2), > but first I have to braze on a cable. > Has anybody experience and tips for me? > > Now I see, that the package iptables-mod-extra_1.3.3-2_mipsel.ipk off > whiterussian really contains the file libipt_physdev.so. > Dumm gelaufen;-) we do not support kamikaze or whiterussian, because both are openwrt releases. this is freewrt ;-P > regards, > Sebastian > > > > _______________________________________________ > freewrt-users mailing list > freewrt-users@freewrt.org > https://www.freewrt.org/lists/listinfo/freewrt-users _______________________________________________ freewrt-users mailing list freewrt-users@freewrt.org https://www.freewrt.org/lists/listinfo/freewrt-users
