[lug] current state of bridging/ebtables
dan at ferrises.com
Thu Feb 12 14:06:40 MST 2004
I build a IDS/firewall with the ebtables patches. If you want to do
simple filtering based on ethernet MAC addresses, IP addresses, and
ethernet protocol numbers you can use the ebtables binary. If you want
to make a fancy firewall, you can use iptables.
Doing QOS with tc can be tricky for some things because you have two
interfaces to worry about (i.e. eth0 and the bridge interface). I am
speaking from experience here, I tried to make a tc ingress filter on my
external ethernet interface and couldn't figure out why it didn't work.
When I applied it to br0 it worked.
If you are building a firewall, you can't get much better.
D. Stimits wrote:
> Since my bridge has had a hard drive fail, I thought I'd take the time
> to upgrade some of its abilities with newer software. The previous
> bridge used KRUD 7.3, had no IP addresses, and filtered. Some
> customizing was required.
> If I create a KRUD/Redhat 9.0 version of this, can anyone tell me what
> issues I might run into? My goals are that this bridge will be a
> filtering bridge. Previously this was done through ipchains, but I
> believe iptables (or ebtables) would possibly be better. However, at the
> time of creating this original bridge, there were still issues about
> using iptables with bridging. I was satisfied then with non-stateful
> filtering, I can live with that now, but would like some ability to do
> this, along with QoS. Perhaps more interesting is MAC address filtering
> instead of hardwired IP addresses. Can anyone tell me what
> issues/frustrations I'll run into by using KRUD/Redhat 9.0 for a
> filtering bridge?
> D. Stimits, stimits AT comcast DOT net
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
More information about the LUG