Re: [m0n0wall] Layer 2 Bridging Firewall ?

From:	=?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
To:	Nicholas J Humfrey <njh at ecs dot soton dot ac dot uk>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Layer 2 Bridging Firewall ?
Date:	Mon, 25 Jul 2005 21:46:34 +1000

On 7/25/05, Nicholas J Humfrey <njh at ecs dot soton dot ac dot uk> wrote:
> 
> Hi,
> 
> I have some servers plugged intro a very large subnet full of all
> sorts of other machines (workstations [running Netware], desktops,
> other servers, cash registers):
> 
> http://www.ecs.soton.ac.uk/~njh/surge_network.png
> 
> 
> I would like to firewall my servers from the other machines on the
> subnet (netware IPX packets and Windows viruses), and also prevent my
> IPv6 router advertisements from leaving my little segment.
> 
> 
>  From my experiments, it doesn't look like m0n0wall does any Layer 2
> firewalling when running bridged mode ? Both my IPv4 and IPv6 packets
> were being bridged across, so I guess this means AppleTalk, IPX etc
> will be too.
> 
> 
> If I used a Proxy ARP setup, would it have the right effect of only
> allowing IPv4 through ?
> 
> 
> Any better way of doing it ?
> 
> Thanks !
> 
> nick.
> 
> 
> ps. very impressed with how clean and compact m0n0wall is - a lot
> nicer than the open source competitors I have looked at :)

Did you enable the filtering bridge option, otherwise you just made a
bridge - see here:
http://m0n0.ch/wall/docbook/index-single.html#id2578343

and see 11.3.4.  Then add your firewall rules - add a deny rule at the
top with logging and you should see packets being blocked as they
attempt to pass the bridge.  If not, then there is something (else?)
amiss with your config.

--g'luck
gm