update for 2.4 firewalling

3 files changed, 38 insertions, 29 deletions

diff --git a/doc/FIREWALL b/doc/FIREWALL
index 8ba50b2..b0ea705 100644
--- a/doc/FIREWALL
+++ b/doc/FIREWALL
@@ -1,34 +1,45 @@
-Several people have asked me for ipchains firewalling on bridge
-forwarding. Although this is a violation of the OSI model it turns out
-to be very useful, and it was very easy to implement, so I did it.
+Bridging and firewalling
+------------------------
+It is possible to use bridging in combination with firewalling.  This is
+a blatant violation of the OSI model, but it's very useful, so we don't
+care.
 
-Now how does it work?
+How do bridging and firewalling go together?  First of all, you need a
+kernel patch against the 2.4 kernel to actually make firewalling bridged
+packets possible.  You need to apply this patch to your kernel and recompile
+it, or alternatively, download a pre-patched Red Hat 7.2 kernel RPM and use
+that.  The patch and kernel RPM are located at:
 
-First of all, if you want to use bridge firewalling, you'll have to
-apply the extra patch bridge-ipchains.diff in the bridge-utils
-distribution to your (already patched with the bridge patch) kernel
-tree. Recompile the kernel.
+	http://bridge.sourceforge.net/devel/bridge-nf/
 
-Now if you boot this kernel, the bridging code will check each
-to-be-forwarded packet against the ipchains chain which has the same
-name as the bridge. So.. if a packet on eth0 is to be forwarded to
-eth1, and those interfaces are both part of the bridge group br0, the
-bridging code will check the packet against the chain called 'br0'.
+Now if you boot with this kernel, you can use the regular iptables
+firewalling as if you were doing routing.  So, rules for forwarding are
+added to the FORWARD chain, rules for input to the local machine are
+added to the INPUT chain, etc.  Things will work like you expect them to.
+So a rule like
 
-If the chain does not exist, the packet will be forwarded. So if you
-want to do firewalling, you'll have to create the chain yourself. This
-is important!
+	# iptables -A INPUT -i eth0 -j DROP
 
+will drop all traffic coming from 'eth0', even if the interface the packets
+are logically from is, say, 'br0'.
 
 
-Example:
-# brctl addbr br0
-# brctl addif br0 eth0
-# brctl addif br0 eth1
-# ifconfig br0 10.0.0.254
-# ipchains -N br0
-# ipchains -A br0 -s 10.0.0.1/8 -i eth0 -j DENY
 
+Lennert Buytenhek, November 7th 2001
+<buytenh@gnu.org>
 
 
-Lennert Buytenhek
+
+--------------------------
+Bridge+firewalling with 2.2 kernels is also possible, but deprecated.  I
+would severely recommend against using a 2.2 kernel and ipchains for bridge
+firewalling.  But if there's really a need, it's still possible.  Apply the
+extra firewalling patch available from the 'patches' section to your
+already-patched-with-the-vanilla-bridge-patch 2.2 kernel, and recompile.  Now
+if you boot this kernel, the bridging code will check each to-be-forwarded
+packet against the ipchains chain which has the same name as the bridge. So..
+if a packet on eth0 is to be forwarded to eth1, and those interfaces are
+both part of the bridge group br0, the bridging code will check the packet
+against the chain called 'br0'.  If the chain does not exist, the packet will
+be forwarded. So if you want to do firewalling, you'll have to create the
+chain yourself. This is important!
diff --git a/doc/TODO b/doc/TODO
index 3e6aca9..37bd4db 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -4,9 +4,6 @@ Longer term:
   skb queue when a port leaves the FORWARDING state. Not that anyone
   should care. But it's there.
 
-- For the firewall add-on patch:
-  - Firewalling on input or output interface?
-
 - RH initscripts for setting up bridge interfaces automatically. Right
   now, on my home machines, I kludge a bit. Things ought to be
   transparent, just like the bonding stuff.
diff --git a/doc/brctl.8 b/doc/brctl.8
index 20928e4..ba65a41 100644
--- a/doc/brctl.8
+++ b/doc/brctl.8
@@ -14,7 +14,7 @@
 .\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 .\"
 .\"
-.TH BRCTL 8 "January 22, 2000" "" ""
+.TH BRCTL 8 "November 7, 2001" "" ""
 .SH NAME
 brctl \- ethernet bridge administration
 .SH SYNOPSIS
@@ -165,7 +165,8 @@ selection algorithms.
 replaces the older brcfg tool.
 
 .SH SEE ALSO
-.BR ipchains(8)
+.BR ipchains(8),
+.BR iptables(8)
 
 .SH AUTHOR
 Lennert Buytenhek <buytenh@gnu.org>