Hi all,
Ok, I know this is a very controvesial subject and it has been
debated a lot of times in linux-net and linux-kernel, but I haven't
found a definitive answer from the gurus.
There are a lot of people who tried and asked for a bridge+firewall
functionality and the mini howto with the same name doesn't help. In
fact the howto is very strange, and it suggests a kind of router between
two subnets and not a plain bridge.
In a message almost a year ago from Alan, he said: "The bridge isn't
subject to the firewalling rules. You can certainly extend the bridge
code to support this but nobody has done it for 2.0 , or afaik for 2.2".
Afaik there are currently 2 ways of doing bridge+firewall:
1) Extending the bridge code to support firewall seems to have been
implemented in 1998 by AC2I. This patch can be found in their site:
http://ac2i.tzo.com/bridge_filter/
2) By using queueing disciplines, classes and filters. We can easily
export the "noop" qdisc (the fastest one :) and bind it to classes,
effectively dropping all the packets that were mapped to them.
The second one is much more difficult for end-user administration,
but it requires almost none kernel patching. By the other way, in case
gurus think that AC2I patch is good, why it can't be part of a
production kernel?
Regards,
Miguel Freitas
Plz CC me, i'm not in the list.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
