Re: Firewall on a debian Box.

[Bulent Murtezaoglu <bm@acm.org>]

    erich> Let's say you have a router, you don't have acces to, which
    erich> expects being directly connected to your network.  But you
    erich> want all packets to go through a firewall.  Usually you
    erich> would just set a route on the router directing anything to
    erich> the firewall box and all firewalled hosts use the firewall
    erich> box as default gateway.  But this doesn't work out as you
    erich> cannot set the route on te router.  

So far so good.  Let us say the router expects the network a.b.c/24
on its internal ethernet interface.  You make a.b.c.2 your firewall
and but now you need to tell the router that instead of putting the
traffic for a.b.c/24 on the ethernet it should send it to a.b.c.2 .
The problem, as you point out, is that you cannot re-configure the 
router to do this if you are not administering it.  I think we
are in agreement so far. But:

    erich> So you need to bridge
    erich> over all packets from the router-firewall lan to the
    erich> interal 8firewalled) lan.  This cannot be done by pure arp
    erich> tricks.  [...]

This is where we diverge.  Suppose the router gets a packet with the
destination a.b.c.3 which now is behind the firewall a.b.c.2.  The
router makes an arp query on the ethernet for a.b.c.3 because it
is configured to assume a.b.c.3 is on the ethernet.  The
firewall responds to this query via proxy-arp thereby causing the 
router to send it the packet.  Once it grabs hold of the packet it can
filter and forward it.

This is my understanding of the mechanism, anyway.  Am I missing anything?
I agree that a bridge might be more versatile, but for IP-only
proxy-arp should work.

BM