Hi Sebastian, On Tue, 21 AuGg 2007 at 10:42 +0200, Sebastian Palarus wrote: > Am Samstag, den 18.08.2007, 21:56 +0200 schrieb Ralph Passgang: > > Am Samstag, 18. August 2007 09:53:58 schrieb Sebastian Palarus: > > > Am Freitag, den 17.08.2007, 19:08 +0200 schrieb Ralph Passgang: > > > > Am Donnerstag, 16. August 2007 16:48:25 schrieb Sebastian Palarus: > > > > > Hi all, > > > > > > > > > > I try to filter the traffic between wan and lan ports over a bridge, > > > > > but it doesn't work. Here my config > > > > > > > > > > FreeWRT 1.03 (download @ http://wib.freewrt.org) > > > > > Linksys WRT54GL > > > > > > > > > > ----/etc/network/interface > > > > > # LAN ports > > > > > auto eth0.0 > > > > > iface eth0.0 inet manual > > > > > switch-ports 0 1 2 3 5* > > > > > > > > > > > > > > > # WAN port > > > > > auto eth0.1 > > > > > iface eth0.1 inet manual > > > > > switch-ports 4 5 > > > > > ---- > > > > > > > > > > ----/etc/fw/setbridge.sh > > > > > /usr/sbin/brctl addbr br0 > > > > > /usr/sbin/brctl addif br0 eth0.0 > > > > > /usr/sbin/brctl addif br0 eth0.1 > > > > > /bin/ip link set eth0.0 up > > > > > /bin/ip link set eth0.1 up > > > > > /bin/ip link set br0 up > > > > > /bin/ip link show > > > > > ---- > > > > > > > > > > -the bridge works fine, but nothing is blocked > > > > > -tcpdump -i br0 shows all packets > > > > > -iptables doesn't know -m physdev > > > > > > > > > > What's the problem? netfilter (missing patch) ? nic-driver? > > > > > > > > Normally ebtables is used for filtering a bridge, but I don't get the > > > > reason why you need a bridge at all?!? > > > > > > > > Just try this: > > > > > > > > # LAN + WAN ports > > > > auto eth0.0 > > > > iface eth0.0 inet static > > > > switch-ports 0 1 2 3 4 5* > > > > address <your-ip> > > > > netmask <your-netmask> > > > > broadcast + > > > > gateway <your gateway> > > > > > > > > You can put the wan port in the same vlan as the lan ports, so the > > > > internal switch will be used and you don't need the bridge. > > > > > > > > a multiport-bridge is technically exactly a switch. > > > > > > > > and even if you want the bridge anyways, why not configure it in your > > > > interface file... something like this should work: > > > > > > > > auto br0 > > > > iface br0 inet static > > > > bridge-ifaces eth0.0 eth0.1 > > > > address <your-ip> > > > > netmask <your-netmask> > > > > broadcast + > > > > gateway <your gateway> > > > > > > > > regards, > > > > Ralph > > > > > > Hi, > > > > > > I want to protect some hosts, but in this networksegment I can't change > > > the networkconfiguration. So I can't add a routing firewall and I need a > > > bridge. > > > Yesterday i tried kamikaze, but the filtering over a bridge did not work > > > and iptables did not know -m physdev too. > > > > > > I don't need ebtables, because ebtables filter non-ip-packets. > > > > a bridge is working on the second layer, when you want to protect your > > hosts > > in every aspect, you will need ebtables (think of mac spoofing for > > example). > > for ip related stuff only, iptables is enough of course. > > > > > But now I have a big problem. Accidental I enter 'vi <binfile>'. > > > Kamikaze answered with SegFaut and now the Router don't want boot > > > anymore . Next week I want try to rescue the router over serial (JP2), > > > but first I have to braze on a cable. > > > Has anybody experience and tips for me? > > > > > > Now I see, that the package iptables-mod-extra_1.3.3-2_mipsel.ipk off > > > whiterussian really contains the file libipt_physdev.so. > > > Dumm gelaufen;-) > > > > we do not support kamikaze or whiterussian, because both are openwrt > > releases. > > this is freewrt ;-P > > > > > regards, > > > Sebastian > > > > > > > > > > > > _______________________________________________ > > > freewrt-users mailing list > > > freewrt-users@freewrt.org > > > https://www.freewrt.org/lists/listinfo/freewrt-users > > > Hi, > > yes, I know the history of openwrt and freewrt and I like freewrt > better, because 'nvram ...' and other things of openwrt are not really > unixlike. So I have a wish for the future. > If it's possible (and stable), please integrate libipt_physdev.so, > ebtables.ko and physdev.ko. Newly ebtabes.so include the patch > bridge-nf, which enables to use iptables between bridged devices. dmesg > should print: > --- > Bridge firewalling registered > Ebtables v2.0 registered
Sorry, this will not happen, unless someone fixes a grave bug in 2.4.34 and ebtables. This bug has cost me a lot of time and I got a lot of grey hairs. greetings Waldemar -- All embedded development kits suck. This one just sucks less. http://www.freewrt.org _______________________________________________ freewrt-users mailing list freewrt-users@freewrt.org https://www.freewrt.org/lists/listinfo/freewrt-users
