Re: Doing Bridge with firewalling

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Frost <sfrost@snowman.net>
To: Ranjeet Shetye <ranjeet.shetye@zultys.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Doing Bridge with firewalling
Date: Wed, 1 Jan 2003 10:08:01 -0500	[thread overview]
Message-ID: <20030101150801.GR677@ns> (raw)
In-Reply-To: <001001c2b113$e2181800$0100a8c0@zultys.com>

[-- Attachment #1: Type: text/plain, Size: 981 bytes --]

* Ranjeet Shetye (ranjeet.shetye@zultys.com) wrote:
> I think I got it right :D.

Unfortunately not quite.

> Hence when you downsize your (layer 3) router into a (layer 2) bridge,
> your neo-bridge becomes a layer 2 entity and disappears from the layer 3
> i.e. it is no longer visible at layer 3. Therefore no firewalling, no
> NAT.

See, this isn't entirely correct.  A bridge passes around ethernet
frames, yes, *but* that does *NOT* mean that it can't modify those
frames.  It can, in fact, modify those frames for NATing purposes.
It can also do full state-based firewalling by watching the frames go by
and doing exactly what netfilter does today.

There's also an eptables or some such out there for filtering based on
raw ethernet frames but basically everything in iptables will work too
with the right patches.  The only thing that won't is MASQ because your
ethernet interfaces don't have an IP address for MASQ to use, *however*,
you *CAN* to SNAT/DNAT/etc.

	Stephen

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

next prev parent reply	other threads:[~2003-01-01 15:08 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-31 10:51 Doing Bridge with firewalling Afshin Lamei
2002-12-31 16:08 ` Kevin McConnell
2002-12-31 19:03 ` Brad Chapman
2002-12-31 20:23   ` Kevin McConnell
2002-12-31 20:27     ` Stephen Frost
2002-12-31 20:47       ` Kevin McConnell
2002-12-31 20:54         ` Stephen Frost
2002-12-31 21:30           ` Ranjeet Shetye
2002-12-31 22:19             ` Kevin McConnell
2003-01-01 15:10               ` Stephen Frost
2003-01-01 15:08             ` Stephen Frost [this message]
2003-01-06 14:16               ` Toshihiro Sonoda
2003-01-06 15:03                 ` Stephen Frost
2002-12-31 22:01           ` Kevin McConnell
2002-12-31 22:31           ` Arnt Karlsen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030101150801.GR677@ns \
    --to=sfrost@snowman.net \
    --cc=netfilter@lists.netfilter.org \
    --cc=ranjeet.shetye@zultys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.