From: Mr D. F. <mr....@go...> - 2013-01-02 15:02:52
|
> Shorewall can't help you in the case of a bridge -- neither can > routefilter. You would have to use arptables to prevent a misconfigured > host from hijacking your network. > Which is exactly why I use arptables to "manually" craft my INPUT, OUTPUT and FORWARD arptables chains (in shorewall's "started") - these chain definitions are very similar to their corresponding counterparts in iptables, and there is even arptables-restore, using the same format as iptables-restore, to restore arptables chains. There is a proposal I've made a while ago for such functionality to be included as part of shorewall (a bit like "rules" for arptables, if you like) as I think it would be beneficial to everyone. |