Re: problems with stand alone project,using brctl and ipchains

Wed, 08 Nov 2000 07:26:24 -0800 

Barak Rosenberg wrote:

> I have problems using a stand alone configuration,which means using brctl
> and ipchains
> in our LRP Linux system.

Are you using the new bridge patch for the 2.2.x kernels or the old
bridge code that comes with 2.2.x?

> 
> I managed to load the instance of the bridge,and even sending ping outside
> using my Linux,
> threw the bridge (the bridge instance connected to eth0 and eth1),
> I probably not using the ipchains right, with the input,output,and forward
> I need to transfer everything that is not on port 443(SSL) threw the Linux
> machine,
> and port 443 inside the machine using apache.

If I understand corrrectly what you want to do (a transparent proxy for
SSL connections that works on layer II) then it can't be done for two
reasons:

1.  Although a patch exist to let ipchains packet filter packets that
traverse the bridge, what you want 
(the docs call this redirection) requires changing the packet, which is 
very easily done with ipchains for IP traffic, but when you work with
the ipchains on the bridge you  work one layer downwards and you need to
change the packet (actually ethernet frame?) destination MAC address
which is slightly more problamtic.

It can be done by writing a special kernel module  (that will inject
changed packets to the IP stack) but
is not supported by the "regular" ipchains + bridge patch. You can do
that with ipchains in layer3 and use the Linux box as your gateway, but
don't bother, because:

2. You can't do transparent proxy for SSL because doing so amounts to a
"man in a middle" attack on the protocol, which means that if you
succeed to build something that works you've practivly made SSL useless
;-)

Hope this helps,

Gilad


-- 
Gilad Ben-Yossef <[EMAIL PROTECTED]> 
http://benyossef.com :: +972(54)756701
"Don't confuse me with facts, my mind's already made up!"

=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Reply via email to