On 2006/10/12 15:26, Girish Venkatachalam wrote: > 1) What exactly is the difference between tun(4), gif(4) > and gre(4) interfaces?
tun(4) is a path between kernel and userland so that network interfaces can be handled by user code rather than in-kernel. It's used by ppp(8), OpenSSH and OpenVPN (and maybe others). It can be used as part of a system to tunnel a network over the internet but that's not the only thing it's for. It can either work as an IP network, or as an ethernet-like network (with the link0 flag) for forwarding broadcasts and the like. gif(4) and gre(4) are various methods of tunneling one network over another, there's no encryption built-in (but you can add it by using IPsec) and they're handled in-kernel. > Cant you have IPsec without using gif(4)? You can , right? You can have IPsec without any tunnelling at all, it can protect communications between any hosts with routable internet addresses without tunnels, private networks, etc. Or you can use it in tunnel mode to send comms between private networks over a tunnel. Or you can use it to encrypt another type of tunnel e.g. gif(4) or gre(4), which is helpful if you need to pass broadcast traffic over an IPsec tunnel. > 2) My second question relates to vlan(4). This allows you to have many virtual network interfaces on a single physical ethernet port. A tag is added to the ethernet frames to indicate which vlan they belong to. vlan-capable switches can be configured to add or remove tags from frames arriving from or destined for the host connected to that port. They're normally used with different subnets for each vlan. > I guess vlans can also be used to split an ethernet > broadcast domain into multiple subnets. Does it help to do > this for running pf on VLAN bridges? If you have many machines on a single switch and want to firewall one from another, you can place them in separate vlans so they don't have direct connectivity between them, place the pf box in both vlans (with an address on each subnet) and packets between the vlans follow this path - host1->switch->PF->switch->host2 > I am a newbie to certain real world networking concepts since I have no hands on experience in network deployments. Get a couple of old boxes (or even just virtual machines) running and try things out. It's the only way to learn.
