From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: NAT on stateless firewall ?
Date: Sun, 05 Aug 2007 20:04:37 -0500 [thread overview]
Message-ID: <46B673A5.6030303@riverviewtech.net> (raw)
In-Reply-To: <46B6300A.7020404@rtij.nl>
On 8/5/2007 3:16 PM, Martijn Lievaart wrote:
> I remember using this with host routes. The arp makes the packet arrive,
> routing gets it to it's destination. I'm actually surprised the above
> does not work. Unfortunately I currently have no setup to test this.
> Anyone can explain why it doesn't work?
Please keep in mind that ARP is a method to identify the MAC address of
an IP address in the same subnet, nothing more.
If two hosts in the same subnet want to communicate with each other they
will send the traffic to each others MAC address. If the sending host
does not know the MAC address of the target host, the sending host will
then send and ARP request to locate the MAC address of the target host.
Once the sending host knows the MAC address of the target host it will
send the actual traffic directly to the target host.
If two hosts *NOT* in the same subnet want to communicate with each
other they will send the traffic via a (default) gateway. The gateway
in to the target subnet will then send the traffic to the target's MAC
address. If the gateway does not know the MAC address of the target
host it will send an ARP request to locate the MAC address. Once the
gateway knows the MAC address of the target host it will send the actual
traffic directly to the target host.
Consider the following scenario.
+--------+ +-----------------+ +--------+
| Host A +---+ (1) Gateway (2) +---+ Host B |
+--------+ +-----------------+ +--------+
Host A has a static MAC address entry for the Gateway NIC (1).
Gateway has a static MAC address entry for Host A.
Gateway has a static MAC address entry for Host B.
Host B has a static MAC address entry for the Gateway NIC (2).
As long as Host A has a route to Host B by way of Gateway NIC (1) and
Host B has a route to Host A by way of Gateway NIC (2), then hosts A and
B can communicate with each other with out having to use ARP at all.
You stated "... arp makes the packet arrive ...", which I must disagree
with. The sending host sends the traffic to the target hosts / gateways
NIC. Arp is used by the sending host to learn the MAC address of the
target host / gateway in the event that the sending host does not
already know it. Other than converting an IP address to MAC address,
ARP has nothing to do with the communications between two systems.
Grant. . . .
next prev parent reply other threads:[~2007-08-06 1:04 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-02 23:08 NAT on stateless firewall ? Florin Andrei
2007-08-03 1:49 ` Gregory Carter
2007-08-03 3:30 ` Florin Andrei
2007-08-03 4:10 ` Grant Taylor
2007-08-03 9:55 ` Pascal Hambourg
2007-08-03 18:23 ` Florin Andrei
2007-08-03 19:11 ` Florin Andrei
2007-08-03 19:15 ` Martijn Lievaart
2007-08-03 19:56 ` Florin Andrei
2007-08-03 20:37 ` Martijn Lievaart
2007-08-03 20:51 ` Grant Taylor
2007-08-05 20:16 ` Martijn Lievaart
2007-08-06 1:04 ` Grant Taylor [this message]
2007-08-06 5:01 ` Martijn Lievaart
2007-08-06 14:11 ` Grant Taylor
2007-08-03 19:23 ` Grant Taylor
2007-08-03 19:53 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46B673A5.6030303@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.