Hello Eric,
Very interesting, to have a patent without an implementation :)
The idea of an "invisible" network security device itself is not new (I
bet your mail to this list did pass through a few of them, including
some operated by the NSA). The entire patent however may describe
something new.
"Packets" are a layer3 concept. Ethernet is layer2, and there the data
units are called "frames". Confusingly, the documentation on Linux is in
the packet(7) manpage.
If you want to program this yourself, then have a look at the socket(2)
and packet(7) manpages as a starting point. The Ethernet interface
itself does need a little bit of configuration: all you need to do is
bring it up (ip link set eth0 up).
If your your rules for filtering/blocking frames are more modest, then
you should use ebtables(8) instead of programming it yourself.
In both cases, you'll want to use brctl(8) to set up 2 network
interfaces as a bridge (switch).
On 07/10/13 16:21, Eric Barnes wrote:
Man - thanks so much for all the answers so quickly. Without going
into boring detail....I have a client that has a patent on a network
security device that he now wants me to build a prototype for. Part
of the patent states that the device is 'invisible' to the Internet
because it has no configured IP ports. It is supposed to sit INLINE
in the network somewhere (say between router and single PC) and
filter/block packets that come through it to the destination PC or
vica-versa. It's kinda like a bridge (only with logic processing
during the bridge operation). If we address the ports, then I depart
from the patent and I have no idea what is allowed from a legal
standpoint in doing something like this. As a high level application
programmer (mostly Java for the past 15 years), I find myself woefully
short on the knowledge/experience to accomplish such a task.
But again - thanks all for the responses!
Eric
*From:*Keith Osborne [mailto:ke...@tdrnetworks.com]
*Sent:* Wednesday, July 10, 2013 8:56 AM
*To:* Eric Barnes
*Cc:* debian-firewall@lists.debian.org
*Subject:* Re: Ethernet with no IP address
Eric,
You'll need to enable IP forwarding in Debian and use IP tables to do
packet inspection and act on whatever rules you write.
I don't see how Debian can be part of the process without the packets
landing on a configured interfacce to examine the packets and then
forward them based on rules.
Keith
TDR Networks
[ hosting | e-commerce | custom development | linux | cisco ]
e:ke...@tdrnetworks.com <mailto:ke...@tdrnetworks.com>
w:http://www.tdrnetworks.com
On 10/07/2013 14:45, Eric Barnes wrote:
Greetings and Salutations;
Is it possible to access an Ethernet port in Debian WITHOUT it
being configured?
I would like a device that has two ports with no IPs and acts as a
SWITCH, but with logic to examine and act on packets as they come
through.
From the research I've done, this is not possible without
developing custom device driver and/or possibly changing part of
kernel.
Just looking for some confirmation either way from people that
know. :-)
Thanks,
Eric