Hi, On Tue, 14 Feb 2006 05:43:33 -0600 "Boyd Stephen Smith Jr." <[EMAIL PROTECTED]> wrote:
> On Tuesday 14 February 2006 03:31, Ow Mun Heng <[EMAIL PROTECTED]> wrote > about 'Re: [gentoo-user] is iptables needed on a Bridge': > > [...] > > If you /do/ want to do packet filtering on br0, I belive you can with > iptables. A rule with in the filter table on the FORWARDING chain with -i > br0 -o br0 should match. You could also do some logging this way. Nah, bridging is ethernet layer, not IP layer. So it will work using ebtables, not iptables. OTOH, when building a bridge, it usually doesn't make much sense to set up lots of rules for security's sake, but rather in order to reduce chattiness between the bridged networks (one may want to filter broadcasts and other noisy stuff). > > I also wanted to know if there's a need for iptables, mainly for > > security. But since there isnt' an ip addressed to br0, I would presume > > that it is safe, but I thought I'll check here 1st. > > I really can't answer the safety issue. From my understanding packets > coming in br0 and be delivered locally, even when br0 doesn't have an IP > address (and similarly with sending packets out br0) so I don't think not > having an IP address really buys you any safety. It certainly does, but OTOH, the OP wrote he'll set up a third ethernet adapter for connecting to the bridging machine, so iptables may make sense on that interface. The FORWARD chain of iptables is only for forwarding IP packets (heh, it's obvious, isn't it? :-), i.e. when building a router. Well, I think it should be possible to redirect bridged packets to the local host in order to let them go through routing, but this seems to be a little cludgy, because the same thing probably can be archieved by using proxy_arp in the first place, which would save us from using promiscuous mode... -hwh -- gentoo-user@gentoo.org mailing list
