On Tue, Dec 1, 2009 at 5:22 PM, John Carter <john.car...@tait.co.nz> wrote: > Firewalls leak tiny bits of info at the mac level, even if they > reject everything at the IP level.
That's probably because the 'firewall' employed by Linux/OpenWRT is called 'IP Tables', and has to receive an IP packet in order to decide what to do; and on Ethernet that means ARP has to complete first. Real network-level firewalls give you much lower-level controls, should you need them. There are still some limits regarding what you need to do in order to receive data, and some hacks to get around that; but in an Ethernet network that leakage can be restricted to just the nearest switch. IP Tables is basically a host firewall, and the host can also be a router if it likes; but that doesn't make it real network equipment. However, if all you're doing is running IP networks, the difference is small enough to be ignored in most cases. Oh, and as an aside; please allow your network edge devices to respond to ping. It's very difficult telling the difference between an ISP-link failure (i.e. a non-IP network) and a firewall failure if the damn firewall won't respond to ping when everything is working normally ... -jim