Re: bridging and IP-filtering

Chris Osicki (osk@gd2.swissptt.ch)
Mon, 19 Jul 1999 22:30:40 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Gregory Maxwell: "Re: Measured overhead of timer interrupts"
Previous message: Gregory Maxwell: "Re: bridging and IP-filtering"

> On Mon, 19 Jul 1999, Chris Osicki wrote:
>
> [IP layer filtering, with bridging code]
> > And to talk to someone on the same network (wire) all it needs is
> > a MAC address of the other host, nothing else.
> > SunScreen from Sun proves it can be done, at least with Solaris.
> > And after all, there can't be anything other OSes
> > can do what Linux couldn't ;-)
>
>
> I've accomplished this before, just not with the bridging code..
> There is (at least when I did this w/ 2.0 kernel) a flag you can pass to
> arp to make the linux box proxy arp for all addresses on one side to the
> other. Then you enable packet forwarding and use normal IP filtering.
>
> This weird arp masqueraid is much like a bridge but you can use IP
> filtering. I did this so that I could transparently drop a firewall into
> an existing network.
>
>

I did it as well and it works fine. The drawbacks are:

1. It is _not_ (IP-)transparent
2. May require large routing tables (quite large in my case)
3. May require large ARP table (my case as well) which has to
be maintained
4. Can't be just dropped into an existing network (see 2. and 3.)

Regards,
Chris

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Gregory Maxwell: "Re: Measured overhead of timer interrupts"
Previous message: Gregory Maxwell: "Re: bridging and IP-filtering"