[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

filtering between bridge device (br0) and regular ethernet device (ethx)

Hash: SHA1


I've got a special problem: I would like to use a debian box as a
firewall with an interface for the internal, external network and one
for the dmz.

The problem is this: The database server that has to be accessed from
the webservers in the dmz is located on the internal net. I would like
to attach it with gigabit ethernet if possible, as both the webservers
and the database server have such interfaces and because speed matters
here. But on the other hand I would like to save the money for an
additional gigabit ethernet switch for the dmz.

My question is the following: Say, I put 5 interfaces into the firewall
box. I would use one, say eth0 for the internal network, eth1 for the
external and take eth2, eth3 and eth5 as one bridged device br0 for the
dmz. Could I filter traffic between eth0 and br0, resp. eth1 and br0?

I ask this question as I often heard that you can't netfilter bridged
devices without special kernel patches (of course I do not need to
filter between eth2 to eth4). But I can filter between the bridge device
and a regular ethx device that is not member of the bridge, can I?

The br0 device would save me an additional switch though ;-)

I hope that I am not asking a question too silly for this list... I did
an RTFM, but I did not find any hint for this problem...


Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org


Reply to: