Yclept Nemo wrote:
Hi,I have a few questions about the inner workings of netfilter(a graphical layout of my network setup @ https://aequorin.homeunix.net:62389/local/media/network-graph.png)
Rather than answer each of your first three individual questions, I'm going to try to explain to you how it works.
Here is a diagram of what is going on:
_____________ ____________
| | | |
| VPN Clients | | LAN Hosts |
|_____________| |____________|
| |
| |
---------------- -----------------
| eth0 | | tap0 |
|----------------------------------------------------|
| br0 |
|----------------------------------------------------|
| |
| $FW |
|____________________________________________________|
So:
1) Any packet from a VPN client will have PHYSIN=eth0.
2) Any packet from a LAN host will have PHYSIN=tap0.
3) Any packet to the firewall will have PHYSOUT= because the connection
does not go out either of the 'physical' (layer 2) interfaces (bridge
ports).
4) All traffic must pass through the bridge; traffic never passes
directly from one bridge port to another. The bridge is always the IN=
interface for traffic from the VPN clients and LAN hosts and it is
always the OUT= interface for traffic to those clients and hosts.
4) The shorewall docs mention that the lan(br0) zone exists b/c it is not possible to do $FW->vpn(tap0) or $FW->phys(eth0)Is this because netfilter in kernels >=2.6.20 cannot recognize $FW->vpn(tap0) or $FW->phys(eth0) ? ... because I havent seens any traffic that would match $FW->vpn(tap0) or $FW->phys(eth0).
That is correct -- In order to be associated with an output physical device (PHYSOUT=), a packet must have entered the bridge through a physical device (port). It cannot have been routed from another IPv4 interface (one with an IPV4 address) and it cannot have originated on the firewall itself.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
