[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP masq (ipchains): masq whole LAN *except* some hosts?

Sorry that it took me so long to reply. I'm rather busy at the moment...

On Mon, 06 Dec 1999 14:09:38 +1100, Angus Lees wrote:

>On Mon, Dec 06, 1999 at 02:30:35AM +0100, Ralf G. R. Bergs wrote:
>> On Mon, 06 Dec 1999 10:37:31 +1100, Angus Lees wrote:
>> >ARP uses ARP, not ICMP  (assuming ipv4..)
>> >it happens at an ethernet broadcast level - any IP firewalling stuff
>> >never gets to see it
>> I see. Let me try to clarify this to see whether I've understood it: arp 
>> happens on a level *below* IP. Therefore arp PASSES my firewall, right?
>arp happens at the level below IP, therefore arp is _never_ forwarded
>by your firewall

I think I now understand it. For traffic of whatever kind to pass the 
firewall the latter has to actively forward packets, so if the firewall 
doesn't understand arp it can't forward it.

Have I got it right this time?

>arp packets (and their replies) stay on the ethernet broadcast network
>they were sent to. (which is a recursive definition, since this is
>also how the "ethernet broadcast network" is defined - but i think you
>understand what i mean)


>do a "tcpdump arp" and "/usr/sbin/arp -a" and see what your networks
>look like from an ethernet hardware level

Thanks, will do when time permits again...

Thanks again for educating me.

Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^

Reply to: