* Attila Nagy <[EMAIL PROTECTED]> [2001.11.29 14:30:56+0100]: > > a firewall needs to have IP routing capabilities to be able to enforce > > rules (same for a packet filter), > ? > A proxy firewall doesn't need to have IP routing capabilities (eg. > forwarding packet between interfaces). And a proxy firewall is definietly > a firewall. (some people doesn't call packet filters as firewalls, that's > true, they mean a proxy under the term: firewall)
a proxy operates on level 7, and even though it doesn't actually route IP packets, it routes on the virtual level 8. IP routing is on level 3, MAC address proxying happens on level 2. By the same analogy, you *can* view proxies as routers on a level above the application protocol, but this is going a little far i admit. in any case, you are right... a proxy can be a firewall without routing capabilities (it better have no routing capabilities), but it still needs two physically connected and *different* logical nets as it *does* employ the kernel routing tables. moreover, if you accept the abstraction of ISO/OSI that level 3 on one side talks to level 3 on the other side, then even a proxy is a router... > > but there is no IP routing going on as the network on one side of the > > bridge is the *same* as the network on the other, for instance > > 192.168.1.0/24. > Why does IP routing is so important if you want to build a packet filter? > The goal is to have the ability to deny or allow packets through the > device. you are right, and i am liking the concept of this transparent firewall the more i think about it. in fact, it becomes hard to argue against. and i don't want to argue against it no more. my initial argument was that it isn't a bridge anymore, and i still think i am right, especially because cisco's pix, which is *not* a bridge but a firewall, can do the same. but there is no use in conservatively sitting on definitions, a bridge with iptables is wicked cool! -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] only through hard work and perseverance can one truly suffer.
pgpZtaYM45fwi.pgp
Description: PGP signature
