> I'm hoping to set up a linux/ipchains firewall on a dedicated
> machine (no proxy/masquerading etc) but I dont want this
> machine to have to be my default router. My lab is on a
> branch of a campus ethernet which provides routing to the
> internet and all I want to do is apply filters to the stuff between
> my lab and the campus, see diag.
>
<Stuff deleted>
What you are talking about is a bridge. However, most firewall
configurations act as a gateway.
Why? Bridges generally are only worried about network packets, in this
case ethernet. It sees a packet on one side, determines that the recipient
may be on the other side, and retransmits the packet on that side. It
doesn't care if it is IP or IPX or SMB or whatever. It's taking care of
ethernet packets.
Firewalls, on the other hand, look at IP packets, deterines whether it
should pass the packet based on the source/destination addresses, and on
the port and protocol numbers, and then either passes it on (generally
with some rewriting of the IP headers) or drops it. Much more work
intensive and needs much more information than just the eternet headers.
So, you really should/have to use your firewall as a gateway device. Doing
it as a bridge will leak packets both ways, and won't give you much in the
way of security.
There are some 'transparent' security devices out there, but IMHO, they
aren't.
jf
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/