Bridge Firewall General Description
Home menu level: /interface bridge filter , /interface bridge nat , /interface bridge broute
Description
The bridge firewall implements packet filtering and thereby provides security functions that are
used to manage data flow to, from and through bridge
Note that packets between bridged interfaces, just like any other IP traffic, are also passed through
the 'generic' /ip firewall rules (but bridging filters are always applied before IP filters/NAT of the
built-in chain of the same name, except for the output which is executed after IP Firewall Output).
These rules can be used with real, physical receiving/transmitting interfaces, as well as with bridge
interface that simply groups the bridged interfaces.
There are three bridge filter tables:
• filter - bridge firewall with three predefined chains:
• input - filters packets, which destination is the bridge (including those packets that will
be routed, as they are anyway destined to the bridge MAC address)
• output - filters packets, which come from the bridge (including those packets that has
been routed normally)
• forward - filters packets, which are to be bridged (note: this chain is not applied to the
packets that should be routed through the router, just to those that are traversing between
the ports of the same bridge)
• nat - bridge network address translation provides ways for changing source/destination MAC
addresses of the packets traversing a bridge. Has two built-in chains:
• scnat - used for "hiding" a host or a network behind a different MAC address. This chain
is applied to the packets leaving the router through a bridged interface
• dstnat - used for redirecting some pakets to another destinations
• broute - makes bridge a brouter - router that performs routing on some of the packets, and
bridging - on others. Has one predefined chain: brouting, which is traversed right after a
packet enters an enslaved interface (before "Bridging Decision")
Note: the bridge destination NAT is executed before bridging desision
You can put packet marks in bridge firewall (filter, broute and NAT), which are the same as the
packet marks in IP firewall put by mangle. So packet marks put by bridge firewall can be used in IP
firewall, and vice versa
General bridge firewall properties are described in this section. Some parameters that differ between
nat, broute and filter rules are described in further sections.
Property Description
802.3-sap ( integer ) - DSAP (Destination Service Access Point) and SSAP (Source Service Access
Point) are 2 one byte fields, which identify the network protocol entities which use the link layer
service. These bytes are always equal. Two hexadecimal digits may be specified here to match an
Page 162 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To Next Page
Loading...
General