Wed Mar 2 00:48:09 EST 2011

Firewall and bridge

I would like to firewall a bridge connection.  On a host inside my
network I have a bridge that contains VLAN 11, and on the router the
wireless is bridged to VLAN11.  The router does not connect the
wireless interface directly to the local net.  The idea is that it is
filtered and monitored on the internal host.

So, how to limit traffic that goes "through" the bridge?  Is this at
all possible?

I want a bridge because I want a single IP space that is not tied to
location.  This is to keep the failsafe situation simple and because
generally it seems like a lot less work to manage.

On the router, create the VLAN 11 and make sure the port 3 (internal
server) carries the vlan tags.

# vconfig add eth0 11
# ifconfig eth0.11 up
# robocfg vlan 11 ports "3t 5t"

Then create the wifi bridge, and move the wifi interface from br-lan
on the router to br-wifi, tying it to VLAN 11.

# brctl addbr br-wifi
# ifconfig br-wifi up
# brctl addif br-wifi eth0.11
# brctl delif br-lan wl0
# brctl addif br-wifi wl0

On the host just do the same:

# vconfig add eth0 11
# ifconfig eth0.11 up
# brctl addif br0 eth0.11

Hmm.. This doesn't seem to be stable..  I'm loosing packets somewhere.

[1] http://tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html