[Firehol-support] Open VPN and Ethernet Bridge

Costa Tsaousis costa at tsaousis.gr
Thu Jul 29 22:05:13 BST 2004


Thanks for your good words.

I have never used bridged interfaces or tunnels myself. However you can
find a few messages from other users using FireHOL with bridges at the
forums. Check these:


I suggest to proceed one step at a time. Setup a very simple firewall like

interface any world
policy accept

router any2any
route all accept

Does it work now? Check the system log for dropped packets. The system log
is your friend - it tells you what is going wrong. If there is nothing in
the logs, and everything works, you are in a good path.

If it works, then try to figure out how to filter traffic. Change the
router to this:

router any2any
route ping accept log "APING"
route all accept

Then do a ping (not from/to the firewall) and check the logs for the text
"APING". Note down SRC= DST= IN= OUT= etc. You should use the logged
information to understand what to match in FireHOL.

Repeat the above procedure (logging traffic and modifying the firewall)
until you have a clear view of how iptables interacts with your bridges
and tunnels. Then you will know what to do to setup a secure firewall.

In all cases, FireHOL is pretty generic. If there should be a match there
that currently it is not, send me a note and I'll add it (I am pretty sure
all the "stable" iptables matches are already included - so missing a
feature is unlikely to happen).

Anyway, I hope that if you decide to do this, you will write a short howto
for the rest of us to know what to do in setups similar to yours :-)



More information about the Firehol-support mailing list