search for: br_fw_ia

Hello, I am experimenting with Snort and other IDS and I would like to use Xen for these tests. This would require me to use port mirroring to sent a bunch of packets to a NIC located on my Xen machine. I don''t really know how Xen networking works, but is it possible to give a domU direct access to a NIC ? Or at least give it enough access so that it can see packets that are not for the

re I would like to do some firewalling and p2p shaping/limiting on one of the vlans in my network and I was thinking of using linux box as transparent bridged firewall/limiter. For this I''m planning to use AMD64 2.2Ghz box with 2 1gbit NIC (Broadcom 5721), that will be bridged. The box must be totally transparent and unseen in the network, as well as it should have much influence on

I have a computer with two interfaces, say with addresses 192.168.1.1 and 192.168.1.2. I want to set up routing such that when I ping 192.168.1.1 it goes out through 192.168.1.2 and not to the local interface. Is this possible - all my attempts so far have been unsuccessful? If so, pointers, etc. would be gratefully appreciated. Jim -- Jim Redman (505) 662 5156 x85

Good morning, I''m writing to ask for collaboration in finding an improvement to a particular process. Today: To get traffic for our IDS sensors and a billing system, we collect everything at our core switches (2) by connecting a SPAN port from each switch to a server (so, 2 interfaces collecting traffic). That server changes the destination MAC address on all traffic to that of

Hello, Normally, in addition to such qdisc scheduler mechanisms as FIFO, PQ, WRR, WFQ, are there any more? Then, there is a confusion on scheduler in Linux enviroment: Assume there is a qdisc, such as RED as a leaf qdisc in a router, we know, if there is packet which want to enqueue the packet, the Function red_enqueue is called, but when the packet leave the queue(when the Function red_dequeue

Hello, I am having some routing troubles with my Xen setup. I have two domUs, one running as a firewall and another running as a dmz: The dom0 has the following: - eth0 bridge (10.0.0.3/24) The domU-firewall has the following: - Direct passthrough PCI NIC (Public Internet) - Virtual NIC connected to the eth0 bridge on dom0 (10.0.0.1/24) - Bridge called brdmz for the dmz zone (10.0.2.1/24)

...iptables concerns itself (mostly) with routing across an IP network, computer to computer. ebtables concerns itself (mostly) with filtering packets across physical NIC interfaces in the same computer. Here is a great writeup on using ebtables and iptables together: http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html But - like everything I''ve been able to find so far, I don''t think this writeup is completely accurate. iptables has a module called physdev. According to the writeup, I can use the iptables physdev module to filter among the raw interfaces in a bridge. But a di...

...did, though, as I now know more than I ever wanted to about the kernel's netfilter code... An absolutely invaluable resource on this subject is the "ebtables/iptables interaction on a Linux-based bridge" document published by the ebtables developers: http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html I don't know who specifically wrote it, but I can't thank them enough. If you're like me, you'll have to read this slowly and several times before it totally sinks in. I now have a copy of their detailed packet flow chart (bottom of the article) printed out and hangin...

Is there a flow diagram as to where tc actions take place with respect to NAT and other iptables functions on a multihomed box (private & public NICs) ? Are tc filter rules consulted before or after NATing? My real interest is in basic understanding first, and then solving a real problem second. Example: Firewall Public NIC 123.123.123.1 Firewall Private NIC 192.168.168.1 Dedicated Video

...) ; > $ip1 = class ( rate 384kbps, ceil 384kbps ) ; > } > } > } > } > > > Best of luck, Gordan! > > -Martin > > [0] http://www.docum.org/stef.coene/qos/kptd/ > [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png > > -- > Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi. I understand that device aliases (e.g. eth2:3) are not shapeable. Does anybody know if this functionality is planned in the future? Anyway, for the time being the only option that seems to leave is to fwmark packets differently for each device alias and then shape based on that. Is it possible to set multiple marks on the packets? Alternatively, is it possible to check for a specific

Hi, I''ve read the documentation about HTB and I pretty much managed to grasp how it works. In theory. But there still are some questions and I want to check with you to see if I understand things correctly. So here goes: 1) when used on a router for shaping traffic done by clients connected to it, shaping is done on the interface connected to the cable/dsl modem. If I wanted to create

Hi all, I have setup two multipath route tables on my system for doing failover routing, What I want it''s that if GW at route1 of the MP is dead, traffic goes by route2, for doing that I have created the multipath routes as follows: ip route add table mail.traffic proto static nexthop via ${GW1} dev eth1 weight 1 nexthop via ${GW2} dev eth1 weight 250 But it does not run as I

I have to match my packets based on MAC address, which I cannot do in the POSTROUTING chain, so I do it in PREROUTING using MARK. Then, I match on the MARK in the POSTROUTING chain to do a CLASSIFY. But this does not seem to work: wireless-r1 bwlimit # iptables -L -v -n -t mangle Chain PREROUTING (policy ACCEPT 3353K packets, 941M bytes) pkts bytes target prot opt in out source