On Tuesday 14 February 2006 03:31, Ow Mun Heng <[EMAIL PROTECTED]> wrote
about 'Re: [gentoo-user] is iptables needed on a Bridge':
> On Mon, 2006-02-13 at 18:38 -0600, Boyd Stephen Smith Jr. wrote:
> > On Sunday 12 February 2006 20:58, Ow Mun Heng <[EMAIL PROTECTED]>
> > wrote
> >
> > about '[gentoo-user] is iptables needed on a Bridge':
> > > Just got a bridge setup to put in to monitor network traffic. I
> > > wonder if there's a need to put in iptables/ebtables into it.
>
> I only asked this question because I am paranoid and when building
> internet connected servers, being paranoid is a good thing(tm).
Agreed.
If you /do/ want to do packet filtering on br0, I belive you can with
iptables. A rule with in the filter table on the FORWARDING chain with -i
br0 -o br0 should match. You could also do some logging this way.
> I also wanted to know if there's a need for iptables, mainly for
> security. But since there isnt' an ip addressed to br0, I would presume
> that it is safe, but I thought I'll check here 1st.
I really can't answer the safety issue. From my understanding packets
coming in br0 and be delivered locally, even when br0 doesn't have an IP
address (and similarly with sending packets out br0) so I don't think not
having an IP address really buys you any safety.
That said, I'm a newbie or worse when it comes to these issues. I've just
recently started learning iptables.
> > > the bridge(br0) does not have an ip address.
> >
> > That seems wrong to me, my bridge device (between the two GB eithernet
> > ports on my MB) does indeed get an IP address and neither eth0/1 gets
> > one.
>
> Yes. That's right, eth0 and eth1 don't get an ip.
> /etc/conf.d/net contains
> config_eth0("null")
> config_eth1("null")
>
> I don't put an IP on the bridge (Br0) because there isn't a need for
> one. What I do is put another eth card (eth2) into the mix and put a
> private IP into it for SSH access and admin etc.
Okay; I use my br0 as my connection to the local network, so I do assign a
(sDHCP) address to it.
--
Boyd Stephen Smith Jr.
[EMAIL PROTECTED]
ICQ: 514984 YM/AIM: DaTwinkDaddy
--
gentoo-user@gentoo.org mailing list
