Re: stealth firewall problem

From: Jan Engelhardt
Date: Mon Apr 03 2006 - 04:54:27 EST

Next message: KAMEZAWA Hiroyuki: "Re: include/asm-arm/memory.h changes break zaurus sl-5500 boot"
Previous message: Russell King: "Re: [PATCH 2.6.16-git] [SERIAL] Adds DCC(JTAG) serial and the console emulation support (revised)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> ifconfig $INTERIOR_IFACE 0.0.0.0 promisc up -arp
> ifconfig $EXTERIOR_IFACE 0.0.0.0 promisc up -arp
> brctl addif $BRIDGE_IFACE $INTERIOR_IFACE
> brctl addif $BRIDGE_IFACE $EXTERIOR_IFACE
> ifconfig $BRIDGE_IFACE 0.0.0.0 up -arp

[-]arp Enable or disable the use of the ARP protocol on this
interface.

Maybe you should leave the arp bit on, i.e.
ip l s eth0 up
ip l s eth1 up
brctl addif br0 eth0 eth1
ip l s br0 up
(by default it will take 15 seconds for the bridge to become alive now)

> /sbin/modprobe ipt_LOG

Not explicitly needed.

> echo "1" > /proc/sys/net/ipv4/ip_forward

This is not needed for brX.

> iptables -A FORWARD -i $EXTERIOR_IFACE -p tcp -m state --state NEW -j LOG
> --log-prefix "INBOUND TCP: "

That won't work. A bridged packet has -i br0 -o br0. You must match it with
-m physdev --physdev-in $EXTERIOR --physdev-out $INTERIOR.

Jan Engelhardt
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: KAMEZAWA Hiroyuki: "Re: include/asm-arm/memory.h changes break zaurus sl-5500 boot"
Previous message: Russell King: "Re: [PATCH 2.6.16-git] [SERIAL] Adds DCC(JTAG) serial and the console emulation support (revised)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]