I'm running Debian Stable with kernel 2.4.25 patched with the bridge-nf
patch from
http://ebtables.sourceforge.net/ with allows bridged IP
packets to be seen by netfilter/iptables on the FORWARD chain. I'm
using the bridge to split off certain systems on a 192.168.1.0/24
network away from Windows PCs and control access to them. The bridge
has the ip address 192.168.1.25 assigned to the bridge interface (br0)
and contains both Ethernet cards (eth0 and eth1). IP Forwarding is off
- and the bridging/firewalling works great for unicast traffic.
However, I have one system "behind" the firewall that uses some sort of
discovery protocol where it broadcasts to 192.168.1.255 via UDP. The
client software on the other side of the firewall doesn't work without
seeing this. Is this supposed to hit the FORWARD chain or the INPUT
chain for the local ip address (or both)? My FORWARD chain for the
Ethernet interface its behind (eth0) doesn't show any log of it being
dropped, so I'm assuming it goes to the INPUT chain (where it would get
dropped without logging with the Windows broadcast noise from the other
side of the firewall):
Chain FORWARD (policy DROP)
num target prot opt source destination
1 SECURE_OUT all -- 0.0.0.0/0 0.0.0.0/0 -i eth0
2 PC_IN all -- 0.0.0.0/0 0.0.0.0/0 -i eth1
Chain SECURE_OUT (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4 prefix `SECURE_OUT Dropped: '
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
Thanks,
Josh
Similar Threads
Linear Mode
