I have an issue where my bridging firewall no longer drops traffic. Everything
looks like it should be working but I can still access things I shouldn't. I
am wondering if my use case is no longer supported.
This system worked well for years. When I updated from Debian 6 to Debian 7 (
It was really the kernel updates) the bridge no longer passed traffic. This is
because I had no VLAN configurations, but the traffic crossing the bridge is
VLANed. Apparently the bridge used to just pass the traffic anyway. My
understanding is that the bridge now operates more like a switch in that if it
does not have an interface in that VLAN then it does not forward the traffic.
Logical to me. So I reconfigured the bridge to use VLANs and it works well.
All traffic is VLANed (no untagged VLANs in use) and the traffic passes through
and services work correctly.
The issue is that even with very specific firewall rules, the traffic is not
dropped (or there is a duplicate flow) because I am able to access thing that I
should not be able to. The firewall rules (with DROP) target are incrementing
in conjunction with the traffic I generate, but yet I can still access things.
I tried to change the target to different things, but they are not working
either. I tried changing the target to TRACE, but that did not generate any
output - even though the counters for the rule incremented. I make use of
CLASSIFY, and that is not working, and I tried MARK instead and it doesn't work.
When the drop rule for my specific IP increments (only when I access a server)
and I can still browse a webserver, then that tells me that either:
The traffic is not dropped even though iptables matched it to a drop rule
Or the packet is dropped but there are multiple packets. But I have not seen
this in a packet capture.
So is a bridge with VLANs and iptables supported? Under what circumstances
would iptables match traffic to a DROP target but not drop the traffic? Under
what circumstances would the bridge circumvent iptables?
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-filter-vlan-tagged = 1
net.bridge.bridge-nf-filter-pppoe-tagged = 0
When I turn off net.bridge.bridge-nf-call-iptables, the iptables rules no
longer increment. Turn them on and the rules increment again as expected.
bridge name bridge id STP enabled interfaces
bra0 8000.001b21b18c10 yes eth0.1
eth1.1
bra100 8000.001b21b18c10 yes eth0.100
eth1.100
bra102 8000.001b21b18c10 yes eth0.102
eth1.102
brb0 8000.001b21b18c14 yes eth2.1
eth3.1
brb100 8000.001b21b18c14 yes eth2.100
eth3.100
brb102 8000.001b21b18c14 yes eth2.102
eth3.102
Thanks,
Andy
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/62036c7d34ac114faad0b9d10f11ea562be1c...@txexmb01.mouser.lan
