diff options
author | Bart De Schuymer <bdschuym@pandora.be> | 2003-12-30 19:07:25 +0000 |
---|---|---|
committer | Bart De Schuymer <bdschuym@pandora.be> | 2003-12-30 19:07:25 +0000 |
commit | 5c8b24817cb3907c9d635a2290d7f46cab8aea46 (patch) | |
tree | ec7da17839545aabffc859534d72448a88e7cc78 /docs | |
parent | db13a36326c2477ac2bfdc04b9aee2bf53cd90d9 (diff) |
*** empty log message ***
Diffstat (limited to 'docs')
-rw-r--r-- | docs/arptables-faq.html | 56 | ||||
-rw-r--r-- | docs/brnf-faq.html | 146 | ||||
-rw-r--r-- | docs/brnf.css | 73 |
3 files changed, 275 insertions, 0 deletions
diff --git a/docs/arptables-faq.html b/docs/arptables-faq.html new file mode 100644 index 0000000..c1aaa8d --- /dev/null +++ b/docs/arptables-faq.html @@ -0,0 +1,56 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<HTML> +<HEAD> + <TITLE>Arptables Frequently Asked Questions</TITLE> + <LINK rel="SHORTCUT ICON" href=""> + <LINK rel="STYLESHEET" type="text/css" href="brnf.css"> + <META name="description" content="Arptables Frequently Asked Questions"> + <META name="author" content="Bart De Schuymer"> + <META name="keywords" content="Linux, netfilter, firewall, bridge, arptables"> + <META name="keywords" content="FAQ, kernel, arptables, chains, rules, tables"> +</HEAD> +<BODY> + <DIV class="banner" align="center"> + <H1>Arptables Frequently (and less frequently) Asked Questions</H1> + </DIV> + <A name="top"></A> + <P>Last modified: December 30, 2003</P> + <DL> + <DT> +Why does arptables have 2 chains on a 2.4 kernel and 3 chains +on a 2.6 kernel? + </DT> + <DD> +The 2.4 kernel doesn't have the arptables FORWARD chain as 2.4 +kernels can't filter bridged ARP traffic. + </DD> + <DT> +When is the bridged ARP traffic seen by arptables? + </DT> + <DD> +The artables FORWARD chain sees all ARP packets that are being +bridged, it sees no other traffic. + </DD> + <DT> +What about ARP packets that arrive through a bridge port and +are delivered to the bridge's local ARP stack? + </DT> + <DD> +They are seen in the arptables INPUT chain and have as input +device the logical bridge device, unless you broute them +using ebtables. Brouted packets will have the physical bridge +port as input device. + </DD> + <DT> +What about locally generated ARP packets that leave the bridge +through a logical bridge device? + </DT> + <DD> +They are seen in the arptables OUTPUT chain and have as output +device the logical bridge device. + </DD> + </DL> + <A class=navbar href="#top">[Back to the top]</A> + <HR> +</BODY> +</HTML> diff --git a/docs/brnf-faq.html b/docs/brnf-faq.html new file mode 100644 index 0000000..0fa94c4 --- /dev/null +++ b/docs/brnf-faq.html @@ -0,0 +1,146 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<HTML> +<HEAD> + <TITLE>Bridge-netfilter Frequently Asked Questions</TITLE> + <LINK rel="SHORTCUT ICON" href=""> + <LINK rel="STYLESHEET" type="text/css" href="brnf.css"> + <META name="description" content="Bridge-netfilter Frequently Asked Questions"> + <META name="author" content="Bart De Schuymer"> + <META name="keywords" content="Linux, netfilter, firewall, bridge, brouter, ebtables, iptables"> + <META name="keywords" content="FAQ, kernel, ebtables, br-nf, brnf, bridge-nf, ethernet, nat, chains, rules, tables"> +</HEAD> +<BODY> + <DIV class="banner" align="center"> + <H1>Bridge-netfilter Frequently (and less frequently) Asked Questions</H1> + </DIV> + <A name="top"></A> + <P>Last modified: December 30, 2003</P> + <H2>Questions</H2> + <OL> + <LI class="question"><A href="#quiz0">Connection tracking</A></LI> + <LI class="question"><A href="#quiz1">General</A></LI> + </OL> + <H2>Answers</H2> + <OL> + <LI class="question"> + <B><A name="quiz0">Connection tracking</A></B> + <DL> + <DT> +What happens when I enable connection tracking? + </DT> + <DD> +By default, all IP packets will be seen by the connection +tracking code. This code is called on the PF_INET/PRE_ROUTING +and PF_INET/LOCAL_OUT hooks. For bridged packets, only the +PRE_ROUTING connection tracking is important. + </DD> + </DL> + <DL> + <DT> +What are the disadvantages of connection tracking on a bridging +firewall? + </DT> + <DD> + <OL> + <LI> +For an IP packet entering a bridge device, connection tracking +is called before the bridge code decides what to do with the +packet. This means that IP packets that will be discarded by +the bridge code are tracked by connection tracking. For a router, +the same is true, but a bridge also sees the traffic between +hosts on the same side of a network. It's possible to prevent +these packets from being seen by connection tracking: you can +either drop them in the ebtables nat PREROUTING chain or use the +iptables NOTRACK target. + </LI> + <LI> +Fragmented IP packets (typically UDP traffic like NFS) are +defragmented by the connection tracking code and refragmented +before sending them out. This slows down traffic, but the +transparancy of the firewall isn't diminished. + </LI> + </OL> + </DD> + </DL> + <A class=navbar href="#top">[Back to the top]</A> + <HR> + </LI> + <LI class="question"> + <B><A name="quiz1">General</A></B> + <DL> + <DT> +What happens with IP DNAT on a to be bridged packet? + </DT> + <DD> +If IP DNAT happened then the bridge-nf code asks the routing +table where the packet should be sent. If it has to be sent +over another device (not the bridge device) then the packet is +routed (an implicit redirect). If the routing table sends the +packet to the bridge device, then the packet is bridged but the +MAC destination is correctly changed. + </DD> + </DL> + <DL> + <DT> +How can I disable bridge-nf? + </DT> + <DD> +If you don't want iptables and arptables to see bridged traffic, +you can disable bridge-nf in the 2.6 kernel at compile time by +disabling "Bridged IP/ARP packets filtering". + </DD> + </DL> + <DL> + <DT> +Can I disable/enable bridge-nf specifics on-the-fly? + </DT> + <DD> +As of kernel version 2.6.1, there are three sysctl entries for +bridge-nf behavioral control (they can be found under +/proc/sys/net/bridge/): + <UL> + <LI> +bridge-nf-call-arptables - pass (1) or don't pass (0) bridged +ARP traffic to arptables' FORWARD chain. + </LI> + <LI> +bridge-nf-call-iptables - pass (1) or don't pass (0) bridged +IPv4 traffic to iptables' chains. + </LI> + <LI> +bridge-nf-filter-vlan-tagged - pass (1) or don't pass (0) +bridged vlan-tagged ARP/IP traffic to arptables/iptables. + </LI> + </UL> + </DD> + </DL> + + <DL> + <DT> +Do {ip,arp}tables see VLAN tagged IP/ARP traffic on an untagged +bridge? + </DT> + <DD> +Yes. Kernel versions 2.6.0-test7 and above have this +functionality. Patch ebtables-brnf-3-vs-2.4.22 and later patches +(for 2.4) have this functionality too. + </DD> + <DT> +Do {ip,arp}tables see encapsulated 802.2/802.3 IP/ARP traffic? + </DT> + <DD> +No. Adding this shouldn't be that hard though. + </DD> + <DT> +Does ip6tables see any bridge IPv6 traffic? + </DT> + <DD> +Nope, it's on the todo-list. + </DD> + </DL> + <A class=navbar href="#top">[Back to the top]</A> + <HR> + </LI> + </OL> +</BODY> +</HTML> diff --git a/docs/brnf.css b/docs/brnf.css new file mode 100644 index 0000000..a99ead0 --- /dev/null +++ b/docs/brnf.css @@ -0,0 +1,73 @@ +H1 { FONT: bold 20pt Times, serif; TEXT-ALIGN: center; TEXT-DECORATION: none } +H2 { font: arial } +P { FONT: 14pt Times, serif } +LI.question { FONT: 18pt Times, serif; margin-top: 5pt; } +PRE { FONT: 14pt Courier, monospace; + margin-top: 5pt; + margin-bottom: 5pt; + background-color: white; + color: black; + } + +<<<<<<< ebtables.css +:link { color: #ccff66 } +:visited { color: #9933ff } +======= +:link { color: #993399 } +:visited { color: #6633cc } +>>>>>>> 1.2 +:active { color: #0000FF; } +:hover { color: #3300ff; } + +A { + text-decoration: none; +} + +.navbar { FONT: 12pt Courier, monospace; font-weight: bolder; + } + +.statement { TEXT-DECORATION: underline } +.section { FONT: bold 22pt Times } +.case { FONT-STYLE: italic } +.note { + font-family: Arial; + font-weight: normal; + font-size: 14pt; + padding-left: 0.4em; + border: solid; + border-width: thin; + border-left: solid; + border-right: none; + border-top: none; + border-bottom: none; + border-left-width: thin; + border-color: red; + margin-top: 0.2em; + margin-bottom: 0.2em; +} + +DIV { + border: solid; + border-width: thin; + background-color: #ffcc99 +} + +BODY { + background-color: white; +} + +DT { + color: #ff0033; + font-size: 12pt; + font-style: italic; + font-weight: bold; + font-family: Arial; + margin-top: 10pt; + margin-bottom: 5pt; +} +DD { + color: black; + font-size: 12pt; + font-style: normal; + font-family: Helvetica; +} |