Dear Tom:

I have assigned an IP to the bridge so that I can ssh into the box for
configuring the box. I tested which tables/chains get activated by giving a
simple rule to block port 21 on the INPUT chain of the internal LAN
interface. The iptable rule set showed the rule but it had no effect. I
moved it to the output and still the same effect. I moved it to the forward
table and it worked.

It is based on this experimentation that I've said that it works only on the
forward chain. The bridging folks are writing (have written) a utility
called ebtables which has the king of filtering that iptables provides but
on the bridge interface instead of the standard eth'n' interface.

Let me confess, I'm know very little as compared to most on this development
list on this subject from an internals/kernel/userland point of view. I'm
talking from an implementation viewpoint.

I'd like comments/ feedback on whether what I've tried is Ok or do I need to
try something else.

Mohan

-----Original Message-----
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: 27 February 2003 10:26
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [leaf-devel] FW: TC control & bandwith management using
LEAF




--On Thursday, February 27, 2003 08:12:45 AM +0530 S Mohan
<[EMAIL PROTECTED]> wrote:

> Can I have comments on this doc please? I could have written qos-htb but
> would have duplicated Juan Prieto's effort. Ideally this should be
> followed by the qos-htb doc. Excuse blunders if any. Would be happy to
> learn where I've gone wrong or made mistakes.
>
> Would like Tom or Jacques to comment on how Shorewall can be used here
> only on the FORWARD table? Would also like some one to ratify cable
> connections - crossed and straight for combination of devices.
>

Provided that you assign an IP address to the bridge device, you can still
have traffic to/from the $FW zone (I'm assuming that traffic would be
through the br0 device - I haven't personally experimented with the bridge
code). I would think that such traffic would still use the INPUT and OUTPUT
chains.

You should be able to do pretty much anything else supported by Shorewall
except for using those features that require the interface involved to have
an IP address. With the exception of obvious things like masquerading,
those features are usually denoted in the documentation by the requirement
that the interface must be up before Shorewall starts.

Shorewall will generate rules for the INPUT and OUTPUT chains through the
bridged ethernet devices but I wouldn't think that such rules would hurt
anything; they just would never be exercised.

If it turns out that there are problems with those rules, we can create a
'bridged' interface option that suppresses them.

I'll be happy to work with someone who is experimenting with bridging and
Shorewall. It's something I've wanted to do myself but simply haven't found
the time.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ [EMAIL PROTECTED]




-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp

_______________________________________________
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to