Re: [Devil-Linux-discuss] Bridge + firewall

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

yes i did configure via /etc/sysconfig/nic/ifcfg-brX 
and also manually
the bridge works fine but the problem 
is that when i run iptables no traffic is blocked as
it used to on previous version of DL

this is a quick example of my iptables on the previous
version of DL

ipless bridge (eth0+eth1)
------
iptables -F 
iptables -X 

iptables -N valid_traffic
iptables -A valid_traffic -m state --state INVALID -j
DROP 
iptables -A valid_traffic -m state --state
RELATED,ESTABLISHED -j ACCEPT

# Accept related/established

iptables -N allow_all
#iptables -A allow_all -s 1.0.0.1 -j ACCEPT
iptables -A FORWARD -j valid_traffic # Pass all boxes
to valid_traffic 
iptables -A FORWARD -j allow_all # Check IP allow list
iptables -A FORWARD -j DROP # Drop anything that
didn't match

this would mean that we allow everything only on
10.0.0.1 

this rule worked on previous verion but on current
version it is ignored in other words everyone has
access to the internet.

/etc/sysconfig/nic/ifcfg-brX ?
> Did you load the module bridge ?

--- Heiko Zuerker <he...@zu...> wrote:
> Heiko Zuerker wrote:
> 
> >>Hi all,
> >>In the previous version of DL i had set a firewall
> by
> >>bridging eth0 +eth1 and running iptables with the
> >>appropriate rules.
> >>The problem now with ver1 is that after the bridge
> is
> >>up and using the same rules nothing is blocked as
> if
> >>no firewall is totally bypassed ..
> >>any ideas ?
> >>    
> >>
> >
> >The patch is still included, I don't know what's
> going wrong.
> >I'll document it as a bug and see what I can find
> out.
> >
> >  
> >
> I did some tests and it seems to work fine.
> What I saw in the documentation, there seems to be
> no packets passing in 
> the first 30 seconds after initialization of the
> bridge interface. I 
> don't know if that is still true, since the docs are
> outdated.
> 
> Did you configure the bridge interface via our
> scripts by defining the 
> file /etc/sysconfig/nic/ifcfg-brX ?
> Did you load the module bridge ?
> 
> cya
>   Heiko
> 
> 
> 
>
-------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the
> latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
>
https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree