Hi, Gilad!
On Wed, Aug 02, 2000 at 03:05:31PM +0300, you wrote the following:
> > > The easiest solution is:
> > >
> > > 1. Install on the Firewall machine both the bridging patch and the IP
> > > firewalling on a bridge patch that can be found at
> > > http://www.openrock.net/bridge.
> > >
> >
> > I never tried that one. won't the bridging code bypass the forwarding
> > rules of the IP stack, as it works at the 2nd layer, before the TCP/IP
> > stack is used? that would defeat the purpose of a firewall I think...
> >
>
> In the URL I gave there is a patch to allow filtering of IP packets (I
> should really say Ethernet frames containing IP packets) by IPchains when
> they pass through the bridging code.
>
> It works beautifuly - really one of the coolest hacks I've seen. ;-)
I agree that this is an amazing hack; question is whether it's stable
enough to use on a production firewall. Lets not forget that it's not
even in the mainstream kernel yet (which may or may not be an
indicator).
--
Alex Shnitman | http://www.debian.org
[EMAIL PROTECTED], [EMAIL PROTECTED] +-----------------------
http://alexsh.hectic.net UIN 188956 PGP key on web page
E1 F2 7B 6C A0 31 80 28 63 B8 02 BA 65 C7 8B BA
"Everything that can be invented has been invented."
-- Charles Duell, head of the U.S. Patent Office, 1899
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
