Re: iptables with a linux bridge

To: Attila Nagy <bra@fsn.hu>
Cc: debian-security@lists.debian.org
Subject: Re: iptables with a linux bridge
From: martin f krafft <madduck@madduck.net>
Date: Thu, 29 Nov 2001 15:45:06 +0100
Message-id: <[🔎] 20011129154506.C11113@fishbowl.madduck.net>
Mail-followup-to: Attila Nagy <bra@fsn.hu>, debian-security@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.40.0111291428150.1231-100000@scribble.fsn.hu>
References: <[🔎] 20011129041917.D26177@fishbowl.madduck.net> <[🔎] Pine.LNX.4.40.0111291428150.1231-100000@scribble.fsn.hu>

* Attila Nagy <bra@fsn.hu> [2001.11.29 14:30:56+0100]:
> > a firewall needs to have IP routing capabilities to be able to enforce
> > rules (same for a packet filter),
> ?
> A proxy firewall doesn't need to have IP routing capabilities (eg.
> forwarding packet between interfaces). And a proxy firewall is definietly
> a firewall. (some people doesn't call packet filters as firewalls, that's
> true, they mean a proxy under the term: firewall)

a proxy operates on level 7, and even though it doesn't actually route
IP packets, it routes on the virtual level 8. IP routing is on level
3, MAC address proxying happens on level 2. By the same analogy, you
*can* view proxies as routers on a level above the application
protocol, but this is going a little far i admit.

in any case, you are right... a proxy can be a firewall without
routing capabilities (it better have no routing capabilities), but it
still needs two physically connected and *different* logical nets as
it *does* employ the kernel routing tables. moreover, if you accept
the abstraction of ISO/OSI that level 3 on one side talks to level 3
on the other side, then even a proxy is a router...

> > but there is no IP routing going on as the network on one side of the
> > bridge is the *same* as the network on the other, for instance
> > 192.168.1.0/24.
> Why does IP routing is so important if you want to build a packet filter?
> The goal is to have the ability to deny or allow packets through the
> device.

you are right, and i am liking the concept of this transparent
firewall the more i think about it. in fact, it becomes hard to argue
against. and i don't want to argue against it no more. my initial
argument was that it isn't a bridge anymore, and i still think i am
right, especially because cisco's pix, which is *not* a bridge but a
firewall, can do the same. but there is no use in conservatively
sitting on definitions, a bridge with iptables is wicked cool!

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
only through hard work and perseverance can one truly suffer.

Attachment: pgpKRrURM5uYW.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: iptables with a linux bridge
  - From: François Bayart <francois@avenceprod.com>

References:
- Re: iptables with a linux bridge
  - From: martin f krafft <madduck@madduck.net>
- Re: iptables with a linux bridge
  - From: Attila Nagy <bra@fsn.hu>

Prev by Date: Re: shutdown user and accountability
Next by Date: passwords and crypt?
Previous by thread: Re: iptables with a linux bridge
Next by thread: Re: iptables with a linux bridge
Index(es):
- Date
- Thread