Am Freitag, den 17.08.2007, 19:08 +0200 schrieb Ralph Passgang: > Am Donnerstag, 16. August 2007 16:48:25 schrieb Sebastian Palarus: > > Hi all, > > > > I try to filter the traffic between wan and lan ports over a bridge, but > > it doesn't work. Here my config > > > > FreeWRT 1.03 (download @ http://wib.freewrt.org) > > Linksys WRT54GL > > > > ----/etc/network/interface > > # LAN ports > > auto eth0.0 > > iface eth0.0 inet manual > > switch-ports 0 1 2 3 5* > > > > > > # WAN port > > auto eth0.1 > > iface eth0.1 inet manual > > switch-ports 4 5 > > ---- > > > > ----/etc/fw/setbridge.sh > > /usr/sbin/brctl addbr br0 > > /usr/sbin/brctl addif br0 eth0.0 > > /usr/sbin/brctl addif br0 eth0.1 > > /bin/ip link set eth0.0 up > > /bin/ip link set eth0.1 up > > /bin/ip link set br0 up > > /bin/ip link show > > ---- > > > > -the bridge works fine, but nothing is blocked > > -tcpdump -i br0 shows all packets > > -iptables doesn't know -m physdev > > > > What's the problem? netfilter (missing patch) ? nic-driver? > > Normally ebtables is used for filtering a bridge, but I don't get the reason > why you need a bridge at all?!? > > Just try this: > > # LAN + WAN ports > auto eth0.0 > iface eth0.0 inet static > switch-ports 0 1 2 3 4 5* > address <your-ip> > netmask <your-netmask> > broadcast + > gateway <your gateway> > > You can put the wan port in the same vlan as the lan ports, so the internal > switch will be used and you don't need the bridge. > > a multiport-bridge is technically exactly a switch. > > and even if you want the bridge anyways, why not configure it in your > interface file... something like this should work: > > auto br0 > iface br0 inet static > bridge-ifaces eth0.0 eth0.1 > address <your-ip> > netmask <your-netmask> > broadcast + > gateway <your gateway> > > regards, > Ralph
Hi, I want to protect some hosts, but in this networksegment I can't change the networkconfiguration. So I can't add a routing firewall and I need a bridge. Yesterday i tried kamikaze, but the filtering over a bridge did not work and iptables did not know -m physdev too. I don't need ebtables, because ebtables filter non-ip-packets. But now I have a big problem. Accidental I enter 'vi <binfile>'. Kamikaze answered with SegFaut and now the Router don't want boot anymore . Next week I want try to rescue the router over serial (JP2), but first I have to braze on a cable. Has anybody experience and tips for me? Now I see, that the package iptables-mod-extra_1.3.3-2_mipsel.ipk off whiterussian really contains the file libipt_physdev.so. Dumm gelaufen;-) regards, Sebastian _______________________________________________ freewrt-users mailing list [email protected] https://www.freewrt.org/lists/listinfo/freewrt-users
