Several people have asked me for ipchains firewalling on bridge forwarding. Although this is a violation of the OSI model it turns out to be very useful, and it was very easy to implement, so I did it. Now how does it work? First of all, if you want to use bridge firewalling, you'll have to apply the extra patch bridge-ipchains.diff in the bridge-utils distribution to your (already patched with the bridge patch) kernel tree. Recompile the kernel. Now if you boot this kernel, the bridging code will check each to-be-forwarded packet against the ipchains chain which has the same name as the bridge. So.. if a packet on eth0 is to be forwarded to eth1, and those interfaces are both part of the bridge group br0, the bridging code will check the packet against the chain called 'br0'. If the chain does not exist, the packet will be forwarded. So if you want to do firewalling, you'll have to create the chain yourself. This is important! Example: # brctl addbr br0 # brctl addif br0 eth0 # brctl addif br0 eth1 # ifconfig br0 10.0.0.254 # ipchains -N br0 # ipchains -A br0 -s 10.0.0.1/8 -i eth0 -j DENY Lennert Buytenhek