[Firehol-support] Network Bridge

Phil Whineray phil at firehol.org
Fri Apr 1 17:45:23 BST 2016

Hi Jaigo

On Fri, Apr 01, 2016 at 10:43:24AM -0400, jorge at ssp.jovenclub.cu wrote:
> I have a network bridge with only 2 interfaces on my firewall,
> interfaces
> bridge_ports eth0 eth1
> I need to control the traffic that passes through the firewall and not to
> going to the firewall, but can not find the way to do it. There is little
> information firehol and network bridges.

For your simple case it should be quite straightforward. You don't
say what your bridged interface is called, so I will assume br0
below and that it has an IP address but the physical devices don't.

You will need to define an interface for br0 (or 'any'), even if only
to set the policy to accept. Then when the firewall is active you can
still communicate directly to and from the host.

You can create a router where inface and outface are both br0
which describes a bridge by and large (but could be routing traffic
on two IP ranges superimposed on the same LAN...) In the simple case
you have described, physin and physout can then be used to reliably
refer to your eth0 and eth1 devices, either in the router definition
or on individual rules.

Some people find traffic they want to match to physin or physout is
not bridged. If so, the best bet currently is to ensure the IP ranges
on either side are different and use src and dst. At present FireHOL
adds rules to filter out non-bridged traffic when a physin or physout
is specified (even if it did not, the values are often not valid unless
bridged traffic is being matched).

If you want to know what the future might look like, see the work in
progress here [1]. Note that no version of FireHOL implements the
keywords or behaviour described yet, and it may be changed before it
is published fully.

Hope that helps

1: https://github.com/firehol/firehol/wiki/Suggested-page:-Network-device-matching-for-hosts,-routers-and-bridges#bridges

More information about the Firehol-support mailing list