Bridging Firewall
We now have a bridging firewall setup in the office.
The bridging is pretty easy. I’m using a patch from ebtables to the 2.4.25 kernel.
Blocking an IP is easy: ebtables -A FORWARD -p 0800 --ip-src 140.160.214.86 -j DROP It would be ebtables -A FORWARD -p IPv4 --ip-src 140.160.214.86 -j DROP but our install of ebtables does’t like where gentoo put /etc/ethertypes or something.
Heres how to limit an IP to a certain rate with a bridging firewall: (br100 is a bridge on eth0 and eth1)
ebtables -F ebtables -A FORWARD -p 0800 --ip-src 140.160.214.86 -j mark --set-mark 2 --mark-target CONTINUE tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1:1 classid 1:2 htb rate 500kbit tc filter add dev eth0 protocol ip parent 1: prio 1 handle 2 fw flowid 1:2 tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 10 tc class add dev eth1 parent 1:1 classid 1:2 htb rate 500kbit tc filter add dev eth1 protocol ip parent 1: prio 1 handle 2 fw flowid 1:2
This works really well for limiting iperf. It’s fun to watch the Windows XP network graph hit various plateaus as I set different limits. I can’t wait to start testing this with more of a load. We should get a test box into bond hall.