[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bridge and IPF



I use 2.5 with latest (two weeks ago) cvs update on kernel, ipf, ipftest,
ipfstat, ipnat, ipmon.

Yes I missed the -E flag. But with out -E flag, I did
I don't really recall the syntax. Any way same idea.

1.     pass in all -
        pass out all
       on ipf.rules. Then ipf -Fa -f ipf.rules.
I tried to ping m/c out side the bridge from inside the bridge. It works.

2.         Then block in all
             block out all
             ipf -Fa -f ipf.rules
Ping does not work.

3. Empty ipf.rules
ipf -Fa -f ipf.rules
I could ping.

I will try all the combination with -E flag tomorrow.

Thank you

awc

Matthew Patton wrote:

> DEFAULT_BLOCK means that if the packet exits the ruleset without
> matching on anything it will get dropped. So therefore your firewall
> SHOULD be dropping packets.
>
> What bit me with the 2.5 upgrade was the need for the "-E" flag to be
> specified which didn't used to be the case. I'm assuming you didn't miss
> that little bit.
>
> But it could very well be that somehow in the recent source upgrades the
> DEFAULT_BLOCK option got nuked by mistake. I'll have to see what
> happened. BTW what version are you running?