2011年8月25日 星期四

What's bridge-netfilter?


The bridge-netfilter code enables the following functionality:
  • {Ip,Ip6,Arp}tables can filter bridged IPv4/IPv6/ARP packets, even when encapsulated in an 802.1Q VLAN or PPPoE header. This enables the functionality of a stateful transparent firewall.
  • All filtering, logging and NAT features of the 3 tools can therefore be used on bridged frames.
  • Combined with ebtables, the bridge-nf code therefore makes Linux a very powerful transparent firewall.
  • This enables, f.e., the creation of a transparent masquerading machine (i.e. all local hosts think they are directly connected to the Internet).
  • Letting {ip,ip6,arp}tables see bridged traffic can be disabled or enabled using the appropriate proc entries, located in/proc/sys/net/bridge/:
    • bridge-nf-call-arptables
    • bridge-nf-call-iptables
    • bridge-nf-call-ip6tables
    Also, letting the aforementioned firewall tools see bridged 802.1Q VLAN and PPPoE encapsulated packets can be disabled or enabled with a proc entry in the same directory:
    • bridge-nf-filter-vlan-tagged
    • bridge-nf-filter-pppoe-tagged
  • These proc entries are just regular files. Writing '1' to the file (echo 1 > file) enables the specific functionality, while writing a '0' to the file disables it.

沒有留言:

張貼留言

DNSSEC安全技術簡介 作者:游子興 / 臺灣大學計算機及資訊網路中心網路組約聘幹事 DNS 是一套已經廣泛使用的Internet 服務,但因先天的技術限制導致容易成為駭客攻擊的目標。本文主要在介紹DNSSEC 之緣起與技術背景,及其使用的加解密技術如何確保資料的完整...