Re: Doing Bridge with firewalling

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Toshihiro Sonoda" <toshihiro@jp.fujitsu.com>
To: netfilter@lists.netfilter.org
Subject: Re: Doing Bridge with firewalling
Date: Mon, 6 Jan 2003 23:16:56 +0900	[thread overview]
Message-ID: <01db01c2b58e$45d585c0$4f1ae2da@monday> (raw)
In-Reply-To: 20030101150801.GR677@ns

hi,

What is eptables?
Where can I get the information about it.

toshihiro

----- Original Message ----- 
From: "Stephen Frost" <sfrost@snowman.net>
To: "Ranjeet Shetye" <ranjeet.shetye@zultys.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Thursday, January 02, 2003 12:08 AM
Subject: Re: Doing Bridge with firewalling

* Ranjeet Shetye (ranjeet.shetye@zultys.com) wrote:
> I think I got it right :D.

Unfortunately not quite.

> Hence when you downsize your (layer 3) router into a (layer 2) bridge,
> your neo-bridge becomes a layer 2 entity and disappears from the layer 3
> i.e. it is no longer visible at layer 3. Therefore no firewalling, no
> NAT.

See, this isn't entirely correct.  A bridge passes around ethernet
frames, yes, *but* that does *NOT* mean that it can't modify those
frames.  It can, in fact, modify those frames for NATing purposes.
It can also do full state-based firewalling by watching the frames go by
and doing exactly what netfilter does today.

There's also an eptables or some such out there for filtering based on
raw ethernet frames but basically everything in iptables will work too
with the right patches.  The only thing that won't is MASQ because your
ethernet interfaces don't have an IP address for MASQ to use, *however*,
you *CAN* to SNAT/DNAT/etc.

 Stephen

next prev parent reply	other threads:[~2003-01-06 14:16 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-31 10:51 Doing Bridge with firewalling Afshin Lamei
2002-12-31 16:08 ` Kevin McConnell
2002-12-31 19:03 ` Brad Chapman
2002-12-31 20:23   ` Kevin McConnell
2002-12-31 20:27     ` Stephen Frost
2002-12-31 20:47       ` Kevin McConnell
2002-12-31 20:54         ` Stephen Frost
2002-12-31 21:30           ` Ranjeet Shetye
2002-12-31 22:19             ` Kevin McConnell
2003-01-01 15:10               ` Stephen Frost
2003-01-01 15:08             ` Stephen Frost
2003-01-06 14:16               ` Toshihiro Sonoda [this message]
2003-01-06 15:03                 ` Stephen Frost
2002-12-31 22:01           ` Kevin McConnell
2002-12-31 22:31           ` Arnt Karlsen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='01db01c2b58e$45d585c0$4f1ae2da@monday' \
    --to=toshihiro@jp.fujitsu.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.