I have a bridged firewall setup that works great for the most part, except broadcast traffic does not seem to pass through it. I''m just trying with netbios-ns at the moment. Here is my interfaces: world br0 detect bridge net br0:bond0 detect loc br0:vlan10 detect www br0:vlan20 detect As a shotgun until I figure this out, I''ve added the following to rules: ACCEPT all all udp 137 If I do a tcpdump on interface br0 I see a ton of broadcast traffic on udp port 137, but if I look at either vlan10 or vlan20, I only see the traffic that originates on either of those VLANs. Is there anything else I should be looking at? Thanks, -Matt ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
Tom Eastep
2010-Aug-10 17:24 UTC
Re: Broadcast traffic not passing through bridged firewall
On 8/10/10 9:11 AM, Matt Stocum wrote:> I have a bridged firewall setup that works great for the most part, > except broadcast traffic does not seem to pass through it. I''m just > trying with netbios-ns at the moment. > > Here is my interfaces: > > world br0 detect bridge net br0:bond0 detect loc br0:vlan10 detect > www br0:vlan20 detect > > As a shotgun until I figure this out, I''ve added the following to > rules: > > ACCEPT all all udp > 137 > > If I do a tcpdump on interface br0 I see a ton of broadcast traffic > on udp port 137, but if I look at either vlan10 or vlan20, I only see > the traffic that originates on either of those VLANs. > > Is there anything else I should be looking at?If adding that rule fixes it, it sounds like your policies are blocking the traffic. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
Matt Stocum
2010-Aug-10 18:21 UTC
Re: Broadcast traffic not passing through bridged firewall
On Aug 10, 2010, at 1:24 PM, Tom Eastep wrote:> On 8/10/10 9:11 AM, Matt Stocum wrote: >> As a shotgun until I figure this out, I''ve added the following to >> rules: >> >> ACCEPT all all udp >> 137 >> > > If adding that rule fixes it, it sounds like your policies are blocking > the traffic.Sorry, I wasn''t clear earlier, the rule was my attempt at a shotgun solution. It didn''t work. I''m fairly sure at this that iptables itself is not blocking the traffic as when I remove all references to SMB traffic (and tweak action.Drop/Reject to enable logging of dropped SMB traffic) I do start getting dropped packets in the logs. With my current setup I am not getting logs of dropped packets. I think the problem ultimately is that no broadcast or multicast traffic is traveling from bond0 (the public facing interface) to vlan10 (internal traffic). The reverse is also true, broadcast traffic does not travel from vlan10 to bond0. All traffic is making it to br0, however, which is the bridge that bond0 and vlan10 are both joined to. Is there any more information I can provide that might help? Thanks, -Matt ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
Tom Eastep
2010-Aug-10 19:19 UTC
Re: Broadcast traffic not passing through bridged firewall
On 8/10/10 11:21 AM, Matt Stocum wrote:> > Is there any more information I can provide that might help?Output of ''shorewall dump'' as a compressed attachment. You can send it privately if you like but I will likely not be able to look at it until after work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
Tom Eastep
2010-Aug-10 19:21 UTC
Re: Broadcast traffic not passing through bridged firewall
On 8/10/10 11:21 AM, Matt Stocum wrote:> On Aug 10, 2010, at 1:24 PM, Tom Eastep wrote:> > Is there any more information I can provide that might help? >And be sure to specify where the broadcasts originate from and where you want them to go. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
Matt Stocum
2010-Aug-10 19:32 UTC
Re: Broadcast traffic not passing through bridged firewall
I figured it out. I had another rule that was dropping traffic before the rule allowing it. Thanks for the help. -Matt On Aug 10, 2010, at 3:21 PM, Tom Eastep wrote:> On 8/10/10 11:21 AM, Matt Stocum wrote: >> On Aug 10, 2010, at 1:24 PM, Tom Eastep wrote: > >> >> Is there any more information I can provide that might help? >> > > And be sure to specify where the broadcasts originate from and where you > want them to go. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by > > Make an app they can''t live without > Enter the BlackBerry Developer Challenge > http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev