1 files changed, 38 insertions, 0 deletions

diff --git a/doc/FIREWALL b/doc/FIREWALL
new file mode 100644
index 0000000..7ffff86
--- /dev/null
+++ b/doc/FIREWALL
@@ -0,0 +1,38 @@
+Bridging and firewalling
+------------------------
+It is possible to use bridging in combination with firewalling.  This is
+a blatant violation of the OSI model, but it's very useful, so we don't
+care.
+
+Assuming you are on a non-stone age kernel (less than 5 years old).
+You can use the regular iptables firewalling as if you were doing
+routing.  So, rules for forwarding are added to the FORWARD chain,
+rules for input to the local machine are added to the INPUT chain,
+etc.  Things will work like you expect them to.
+So a rule like
+
+	# iptables -A INPUT -i eth0 -j DROP
+
+will drop all traffic coming from 'eth0', even if the interface the packets
+are logically from is, say, 'br0'.
+
+
+
+Lennert Buytenhek, November 7th 2001
+<buytenh@gnu.org>
+
+
+
+--------------------------
+Bridge+firewalling with 2.2 kernels is also possible, but deprecated.  I
+would severely recommend against using a 2.2 kernel and ipchains for bridge
+firewalling.  But if there's really a need, it's still possible.  Apply the
+extra firewalling patch available from the 'patches' section to your
+already-patched-with-the-vanilla-bridge-patch 2.2 kernel, and recompile.  Now
+if you boot this kernel, the bridging code will check each to-be-forwarded
+packet against the ipchains chain which has the same name as the bridge. So..
+if a packet on eth0 is to be forwarded to eth1, and those interfaces are
+both part of the bridge group br0, the bridging code will check the packet
+against the chain called 'br0'.  If the chain does not exist, the packet will
+be forwarded. So if you want to do firewalling, you'll have to create the
+chain yourself. This is important!