[Firehol-support] locking down a dual stack bridging firewall with firehol

Phil Whineray phil at sanewall.org
Thu Nov 13 19:25:04 GMT 2014

Hi Phineas

On Wed, Nov 12, 2014 at 10:38:22PM +0100, Phineas Gage wrote:
> I’m converting my firewall to a transparent bridge, and have a basic config working for IPv4 and IPv6. Our environment is simple:
> LAN <=> (eth0) Linux Firewall (eth1) [br0 bridges eth0 and eth1] <=> ADSL modem
> I would like to let all client traffic out but nothing in. But for some reason, I need this router line accepting all traffic from the Internet side interface , otherwise clients lose their DHCP v4 addresses a few seconds after they get them:
> router46 internet2lan physin eth1 physout eth0
>     route all accept # !!! Figure out why, without this accept, I lose my DHCP v4 address after a few seconds

I take it that the DHCP server runs on the ADSL modem in this setup?

The explanation and formatting at this link needs a tidy up (another thing
to add to my todo list) but hopefully is good enough to explain what
might be happening:

In summary I think you may be falling foul of the fact that DHCP uses
source and destination IP on request that don't match the response, so
we need stateless rules to match them. The result is that the
"route all accept" in your "lan2internet" section does not allow the
response to a DHCP request that you might expect.

As I think Costa mentioned elsewhere you should be able to see blocked
packets in the log. If you indeed see DHCP response packets being
blocked, I think you may just need to add an explicit rule for DHCP.

I too have never used a bridge setup like this but I have been
considering it for similar reasons, so I'm interested in your results.


More information about the Firehol-support mailing list