nftables and bridgeDebian network disappearingHow to do Masquerading with NFTablesnftables ip set multiple tablesSet up nftables to only allow connections through a vpn and block all ipv6 trafficNftables configuration error: conflicting protocols specified: inet-service v. icmpInternet access in LXC container with nftablesWhen and how to use chain priorities in nftablesHow to use wildcard in a list with nftablesLinux bridge SNAT with ebtablesNftables rules dissapiered after reboot!
Infinite Abelian subgroup of infinite non Abelian group example
How do I write bicross product symbols in latex?
When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?
Why is Collection not simply treated as Collection<?>
Arrow those variables!
Is it possible to run Internet Explorer on OS X El Capitan?
What does it mean to describe someone as a butt steak?
Today is the Center
Western buddy movie with a supernatural twist where a woman turns into an eagle at the end
I would say: "You are another teacher", but she is a woman and I am a man
In Romance of the Three Kingdoms why do people still use bamboo sticks when paper had already been invented?
Modeling an IP Address
Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?
Would Slavery Reparations be considered Bills of Attainder and hence Illegal?
What killed these X2 caps?
Why do I get two different answers for this counting problem?
If human space travel is limited by the G force vulnerability, is there a way to counter G forces?
How do conventional missiles fly?
Emailing HOD to enhance faculty application
Is it canonical bit space?
Can a rocket refuel on Mars from water?
How is it possible to have an ability score that is less than 3?
Facing a paradox: Earnshaw's theorem in one dimension
How can I tell someone that I want to be his or her friend?
nftables and bridge
Debian network disappearingHow to do Masquerading with NFTablesnftables ip set multiple tablesSet up nftables to only allow connections through a vpn and block all ipv6 trafficNftables configuration error: conflicting protocols specified: inet-service v. icmpInternet access in LXC container with nftablesWhen and how to use chain priorities in nftablesHow to use wildcard in a list with nftablesLinux bridge SNAT with ebtablesNftables rules dissapiered after reboot!
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.
Requirements:
- main policy drop
- allow http (management of switch)
- allow snmp
And I have problem with first one - main policy drop.
I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:
table bridge br
chain input
type filter hook forward priority 0; policy drop;
PC A can still ping to SWITCH and connect to management of SWITCH via http.
- tried hook input too
- br99 is standard bridge set up with wicked
- PCs - OpenSuse 42.3
- nftables version 0.5
- table inet has no impact to eth1.99
It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.
EDIT:
With nftables 0.8.2 this configuration works.
firewall bridge nftables
asked 2 days ago
2ndChosenOne2ndChosenOne
11
New contributor
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.
Requirements:
- main policy drop
- allow http (management of switch)
- allow snmp
And I have problem with first one - main policy drop.
I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:
table bridge br
chain input
type filter hook forward priority 0; policy drop;
PC A can still ping to SWITCH and connect to management of SWITCH via http.
- tried hook input too
- br99 is standard bridge set up with wicked
- PCs - OpenSuse 42.3
- nftables version 0.5
- table inet has no impact to eth1.99
It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.
EDIT:
With nftables 0.8.2 this configuration works.
firewall bridge nftables
asked 2 days ago
2ndChosenOne2ndChosenOne
11
New contributor
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).
– A.B
2 days ago
You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).
– A.B
2 days ago
thanks, you are right. with nftables 0.8.2 configuration works perfect too.
– 2ndChosenOne
21 hours ago
add a comment |
I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.
Requirements:
- main policy drop
- allow http (management of switch)
- allow snmp
And I have problem with first one - main policy drop.
I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:
table bridge br
chain input
type filter hook forward priority 0; policy drop;
PC A can still ping to SWITCH and connect to management of SWITCH via http.
- tried hook input too
- br99 is standard bridge set up with wicked
- PCs - OpenSuse 42.3
- nftables version 0.5
- table inet has no impact to eth1.99
It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.
EDIT:
With nftables 0.8.2 this configuration works.
firewall bridge nftables
asked 2 days ago
2ndChosenOne2ndChosenOne
11
New contributor
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.
Requirements:
- main policy drop
- allow http (management of switch)
- allow snmp
And I have problem with first one - main policy drop.
I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:
table bridge br
chain input
type filter hook forward priority 0; policy drop;
PC A can still ping to SWITCH and connect to management of SWITCH via http.
- tried hook input too
- br99 is standard bridge set up with wicked
- PCs - OpenSuse 42.3
- nftables version 0.5
- table inet has no impact to eth1.99
It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.
EDIT:
With nftables 0.8.2 this configuration works.
firewall bridge nftables
firewall bridge nftables
asked 2 days ago
2ndChosenOne2ndChosenOne
11
New contributor
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
2ndChosenOne2ndChosenOne
11
New contributor
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 21 hours ago
2ndChosenOne
asked 2 days ago
2ndChosenOne2ndChosenOne
11
New contributor
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
2ndChosenOne2ndChosenOne
11
asked 2 days ago
2ndChosenOne2ndChosenOne
11
11
New contributor
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).
– A.B
2 days ago
You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).
– A.B
2 days ago
thanks, you are right. with nftables 0.8.2 configuration works perfect too.
– 2ndChosenOne
21 hours ago
add a comment |
rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).
– A.B
2 days ago
You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).
– A.B
2 days ago
thanks, you are right. with nftables 0.8.2 configuration works perfect too.
– 2ndChosenOne
21 hours ago
rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).
– A.B
2 days ago
rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).
– A.B
2 days ago
You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).
– A.B
2 days ago
You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).
– A.B
2 days ago
thanks, you are right. with nftables 0.8.2 configuration works perfect too.
– 2ndChosenOne
21 hours ago
thanks, you are right. with nftables 0.8.2 configuration works perfect too.
– 2ndChosenOne
21 hours ago
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510083%2fnftables-and-bridge%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.
2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.
2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.
2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510083%2fnftables-and-bridge%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).
– A.B
2 days ago
You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).
– A.B
2 days ago
thanks, you are right. with nftables 0.8.2 configuration works perfect too.
– 2ndChosenOne
21 hours ago