* Jeremy T. Bouse <jbouse@debian.org> [2001.11.28 09:07:53-0800]: > If I'm not mistaken I believe the bridging code runs before > the firewall code so the bridging by-passes the firewall filters > completely... Please if I'm incorrect in this would someone care to > correct me but that is what information I've found through my research > on the subject... you are absolutely correct. it doesn't run "before" the firewall rules, it runs at the data-link level and is concerned with frames only. frames encapsulate packets (e.g. IP), but an ethernet frame, which is what bridges work with, has no clue and doesn't care about IP addresses. so the packet comes in, traverses from level 1 to level 2 in the ISO/OSI abstraction model, then the bridge decides which physical network card the destination MAC address is on (limiting my example to Ethernet), and then sends it back out or drops it accordingly. with bridging code installed, the computer never knows about the IP packets, or at least it cannot influence them. also, bridges connect physically separate network segments that are *in the same* logical subnet. they are merely used for segmentation in heavily broadcast or otherwise really busy nets. a firewall needs to have IP routing capabilities to be able to enforce rules (same for a packet filter), but there is no IP routing going on as the network on one side of the bridge is the *same* as the network on the other, for instance 192.168.1.0/24. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck when compared to windoze, unix is an operating system.
Attachment:
pgpHxFxNU9Vo4.pgp
Description: PGP signature