[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] How to make SuSEfirewall2 accept packets passing bridge-interface (solved)

On Montag 21 November 2005 10:51, Ludwig Nussel wrote:
> David Huecking wrote:
> > Now I added a wireless-card for the router also acting as a wireless
> > access-point:
> > - ath0 is interface of wireless-card running in hostap-mode
> > Then I build a bridge-interface from eth0 and ath0 and gave it the former
> > IP of eth0.
> > - br0 bridge made of ath0 and eth0
> > Routing from the wired and wireless clients to the internet works like a
> > charm.
> > What does not work ist bridging from physical interface eth0 to ath0 so
> > that I can reach my server attached to the LAN-switch from my wireless
> > notebook. I get logging-entries like that:
> > SFW2-FWDint-DROP-DEFLT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=ath0
> > SRC= DST=
> >
> > Could anybody tell me what to write into /etc/sysconfig/SUSEFirewall2 or
> > in /etc/sysconfig/scripts/SuSEfirewall2-custom to accept packets crossing
> > my bridge.
> I don't have such a setup myself so I can't help you here. I
> wouldn't use bridging with the LAN though. With newer SuSEfirewall2
> you can define a new zone for the WLAN and then use normal routing
> for WLAN-Inet and WLAN-LAN. You can also abuse the DMZ rules for
> that purpose if you don't have a real DMZ.
> cu
> Ludwig

I changed the setup a bit and do use now an external access-point attached to 
another ethernet-interface (eth2) instead of an internal wireless-card (ath0) 
and solved the problem like this:
Build the bridge using eth0 and eth2 and gave it the former IP-address of 
In /etc/sysconfig/SuSEFirewall2:

This works for me. 
_BUT_ this does not provide any security from SuSEfirewall2 in any way. It 
just makes the WLAN hosts appear like normal wired hosts in the LAN. Both 
types have the same IP-range.
The only advantage compared to attaching an accesspoint directly to you 
ethernet-switch is, that you can lock out the wireless clients without 
plugging a cable when you delete the bridge-device.
So any security comes (and goes) with the authorized assess to the 
access-point. Just like physical security to the ethernet-plugs.
The advantage is that I just set up both interfaces of my notebook, ethernet 
and WLAN with the _same_ IP-address and switched them to "hotplug"-mode. I 
only use one interface at a time and so it's always accessible under the same 

The only question now is: In which start/ init-script should I put the 
commands to build the bridge-device in case of a reboot and when I don't want 
to build the bridge manually. It has to happen after the physical 

Eat, sleep and go running,
David Hücking.

Encrypted eMail welcome! 
GnuPG/ PGP-Key: 0x57809216. Fingerprint: 
3DF2 CBE0 DFAA 4164 02C2  4E2A E005 8DF7 5780 9216

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here