Re: Firewall on a debian Box.
erich> Let's say you have a router, you don't have acces to, which
erich> expects being directly connected to your network. But you
erich> want all packets to go through a firewall. Usually you
erich> would just set a route on the router directing anything to
erich> the firewall box and all firewalled hosts use the firewall
erich> box as default gateway. But this doesn't work out as you
erich> cannot set the route on te router.
So far so good. Let us say the router expects the network a.b.c/24
on its internal ethernet interface. You make a.b.c.2 your firewall
and but now you need to tell the router that instead of putting the
traffic for a.b.c/24 on the ethernet it should send it to a.b.c.2 .
The problem, as you point out, is that you cannot re-configure the
router to do this if you are not administering it. I think we
are in agreement so far. But:
erich> So you need to bridge
erich> over all packets from the router-firewall lan to the
erich> interal 8firewalled) lan. This cannot be done by pure arp
erich> tricks. [...]
This is where we diverge. Suppose the router gets a packet with the
destination a.b.c.3 which now is behind the firewall a.b.c.2. The
router makes an arp query on the ethernet for a.b.c.3 because it
is configured to assume a.b.c.3 is on the ethernet. The
firewall responds to this query via proxy-arp thereby causing the
router to send it the packet. Once it grabs hold of the packet it can
filter and forward it.
This is my understanding of the mechanism, anyway. Am I missing anything?
I agree that a bridge might be more versatile, but for IP-only
proxy-arp should work.