A.C.2.I. - products - Bridge Filtering
Bridge Filter


I. What is Bridge Filter

Bridge Filter is a patch to apply to linux kernel 2.2.x (developped under linux 2.2.5 kernel and successfully applied on linux 2.2.9 kernel). This patch creates a new built-in chain named bridgein you can use to filter packets before the bridge.

Basically, linux firewall and bridge functions work well but you can't filter exactly which packets are bridged. The main goal of this patch is to allow this capability.

Let's assume you have the following network configuration:

Initial network configuration pix

A commonly encountered method to setup a firewall is to configure properly the gateway as a firewall. This case is not possible if you don't have access to the current gateway or if the gateway is unable to perform this task.

Another solution is to install a new computer before the gateway which filters packets.

Modified network configuration pix

Bridge Filter patch adds a new chain used to filter packets before they enter into the bridge.


II. Installation

Apply the following patch using patch -p0 < linux_brfw2.diff.
(patch for kernel 2.2.17 is available thanks to Sidster who has adapted the 2.2.9 patch to kernel 2.2.17).
(patch for kernel 2.2.19 is also available thanks to Sean Trifero).

Then configure the kernel as a firewall (to enable packet filter) and as a bridge. Look at the already available Bridge+Firewall HOWTO if necessary.

Thus, just recompile the kernel and reboot. Enable bridge and test if it works properly.

When everything works, simply configure the bridgein chain. Only ACCEPT and and DENY rules have been tested. MASQ rule doesn't seem to have a meaning in this case (but who knows). REJECT doesn't work.

III. Warning

This patch is distributed under GPL and comes with absolutely no warranty. We have used it without any problem during several days.


Copyright© 1998-2001, www@a2pb.gotdns.org