Re: [PATCH] support --physdev-out for routed packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Philip Craig <philipc@snapgear.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] support --physdev-out for routed packets
Date: Fri, 13 Jul 2007 15:12:38 +0200	[thread overview]
Message-ID: <46977A46.1010200@trash.net> (raw)
In-Reply-To: <4696CE1B.1090600@snapgear.com>

Philip Craig wrote:
> Patrick McHardy wrote:
> 
>>The thing I still don't get
>>is .. if you combine a bunch of devices in a bridge, why would you
>>care which port a packet will leave through? If you already know
>>behind which port something is reachable, why use a bridge? And if
>>you don't know I suppose you have nothing to filter by.
>>
> 
> 
> The devices in the bridge represent different security zones.
> Using a bridging firewall gives physical separation of these zones
> without requiring additional IP networks or configuration changes
> for the machines on those networks.  The security policy has rules
> defined primarily in terms of the zones, not the individual machines
> in those zones.  Matching on just IP address is not enough, because
> it does not enforce the physical separation.
> 
> We definitely could configure the firewall to know which address
> is behind which port, and enforce this in ebtables.  This is the
> solution Shorewall has used (I haven't looked to see if it enforces
> the ports).  But that requires more configuration.  Basically it is
> just a convenience argument.  I'll definitely be trying to migrate
> things to this setup though.


I believe multiple bridges would be the best choice here, you
get the seperation for free.

next prev parent reply	other threads:[~2007-07-13 13:12 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-12  6:40 [PATCH] support --physdev-out for routed packets Philip Craig
2007-07-12 12:45 ` Patrick McHardy
2007-07-13  0:58   ` Philip Craig
2007-07-13  3:14     ` Philip Craig
2007-07-13 13:12     ` Patrick McHardy [this message]
  -- strict thread matches above, loose matches on Subject: below --
2007-08-04  4:13 Greg Scott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46977A46.1010200@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=philipc@snapgear.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.