diff options
author | buytenh <buytenh> | 2001-11-07 17:16:20 +0000 |
---|---|---|
committer | buytenh <buytenh> | 2001-11-07 17:16:20 +0000 |
commit | 35a7dca7af9ab48bca94f0094e9ec810a712977b (patch) | |
tree | fed3babd9e05660eec193b6a77755204b968f4bd /doc | |
parent | d7f0c1b7a7fa15a3dbace8a2aa91e2fc040c111a (diff) | |
download | android_external_brctl-35a7dca7af9ab48bca94f0094e9ec810a712977b.tar.gz android_external_brctl-35a7dca7af9ab48bca94f0094e9ec810a712977b.tar.bz2 android_external_brctl-35a7dca7af9ab48bca94f0094e9ec810a712977b.zip |
update for 2.4 firewalling
Diffstat (limited to 'doc')
-rw-r--r-- | doc/FIREWALL | 59 | ||||
-rw-r--r-- | doc/TODO | 3 | ||||
-rw-r--r-- | doc/brctl.8 | 5 |
3 files changed, 38 insertions, 29 deletions
diff --git a/doc/FIREWALL b/doc/FIREWALL index 8ba50b2..b0ea705 100644 --- a/doc/FIREWALL +++ b/doc/FIREWALL @@ -1,34 +1,45 @@ -Several people have asked me for ipchains firewalling on bridge -forwarding. Although this is a violation of the OSI model it turns out -to be very useful, and it was very easy to implement, so I did it. +Bridging and firewalling +------------------------ +It is possible to use bridging in combination with firewalling. This is +a blatant violation of the OSI model, but it's very useful, so we don't +care. -Now how does it work? +How do bridging and firewalling go together? First of all, you need a +kernel patch against the 2.4 kernel to actually make firewalling bridged +packets possible. You need to apply this patch to your kernel and recompile +it, or alternatively, download a pre-patched Red Hat 7.2 kernel RPM and use +that. The patch and kernel RPM are located at: -First of all, if you want to use bridge firewalling, you'll have to -apply the extra patch bridge-ipchains.diff in the bridge-utils -distribution to your (already patched with the bridge patch) kernel -tree. Recompile the kernel. + http://bridge.sourceforge.net/devel/bridge-nf/ -Now if you boot this kernel, the bridging code will check each -to-be-forwarded packet against the ipchains chain which has the same -name as the bridge. So.. if a packet on eth0 is to be forwarded to -eth1, and those interfaces are both part of the bridge group br0, the -bridging code will check the packet against the chain called 'br0'. +Now if you boot with this kernel, you can use the regular iptables +firewalling as if you were doing routing. So, rules for forwarding are +added to the FORWARD chain, rules for input to the local machine are +added to the INPUT chain, etc. Things will work like you expect them to. +So a rule like -If the chain does not exist, the packet will be forwarded. So if you -want to do firewalling, you'll have to create the chain yourself. This -is important! + # iptables -A INPUT -i eth0 -j DROP +will drop all traffic coming from 'eth0', even if the interface the packets +are logically from is, say, 'br0'. -Example: -# brctl addbr br0 -# brctl addif br0 eth0 -# brctl addif br0 eth1 -# ifconfig br0 10.0.0.254 -# ipchains -N br0 -# ipchains -A br0 -s 10.0.0.1/8 -i eth0 -j DENY +Lennert Buytenhek, November 7th 2001 +<buytenh@gnu.org> -Lennert Buytenhek + +-------------------------- +Bridge+firewalling with 2.2 kernels is also possible, but deprecated. I +would severely recommend against using a 2.2 kernel and ipchains for bridge +firewalling. But if there's really a need, it's still possible. Apply the +extra firewalling patch available from the 'patches' section to your +already-patched-with-the-vanilla-bridge-patch 2.2 kernel, and recompile. Now +if you boot this kernel, the bridging code will check each to-be-forwarded +packet against the ipchains chain which has the same name as the bridge. So.. +if a packet on eth0 is to be forwarded to eth1, and those interfaces are +both part of the bridge group br0, the bridging code will check the packet +against the chain called 'br0'. If the chain does not exist, the packet will +be forwarded. So if you want to do firewalling, you'll have to create the +chain yourself. This is important! @@ -4,9 +4,6 @@ Longer term: skb queue when a port leaves the FORWARDING state. Not that anyone should care. But it's there. -- For the firewall add-on patch: - - Firewalling on input or output interface? - - RH initscripts for setting up bridge interfaces automatically. Right now, on my home machines, I kludge a bit. Things ought to be transparent, just like the bonding stuff. diff --git a/doc/brctl.8 b/doc/brctl.8 index 20928e4..ba65a41 100644 --- a/doc/brctl.8 +++ b/doc/brctl.8 @@ -14,7 +14,7 @@ .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. .\" .\" -.TH BRCTL 8 "January 22, 2000" "" "" +.TH BRCTL 8 "November 7, 2001" "" "" .SH NAME brctl \- ethernet bridge administration .SH SYNOPSIS @@ -165,7 +165,8 @@ selection algorithms. replaces the older brcfg tool. .SH SEE ALSO -.BR ipchains(8) +.BR ipchains(8), +.BR iptables(8) .SH AUTHOR Lennert Buytenhek <buytenh@gnu.org> |