On Thu, Oct 12, 2006 at 12:44:39PM +0100, Stuart Henderson wrote:
> On 2006/10/12 15:26, Girish Venkatachalam wrote:
> > 1) What exactly is the difference between tun(4), gif(4)
> > and gre(4) interfaces?
>
> tun(4) is a path between kernel and userland so that network
> interfaces can be handled by user code rather than in-kernel.
> It's used by ppp(8), OpenSSH and OpenVPN (and maybe others).
> It can be used as part of a system to tunnel a network over
> the internet but that's not the only thing it's for. It can
> either work as an IP network, or as an ethernet-like network
> (with the link0 flag) for forwarding broadcasts and the like.
>
> gif(4) and gre(4) are various methods of tunneling one network
> over another, there's no encryption built-in (but you can add it
> by using IPsec) and they're handled in-kernel.
>
> > Cant you have IPsec without using gif(4)? You can , right?
>
> You can have IPsec without any tunnelling at all, it can
> protect communications between any hosts with routable internet
> addresses without tunnels, private networks, etc. Or you can
> use it in tunnel mode to send comms between private networks
> over a tunnel. Or you can use it to encrypt another type of
> tunnel e.g. gif(4) or gre(4), which is helpful if you need
> to pass broadcast traffic over an IPsec tunnel.
>
> > 2) My second question relates to vlan(4).
>
> This allows you to have many virtual network interfaces on
> a single physical ethernet port. A tag is added to the ethernet
> frames to indicate which vlan they belong to. vlan-capable
> switches can be configured to add or remove tags from frames
> arriving from or destined for the host connected to that port.
> They're normally used with different subnets for each vlan.
>
> > I guess vlans can also be used to split an ethernet
> > broadcast domain into multiple subnets. Does it help to do
> > this for running pf on VLAN bridges?
>
> If you have many machines on a single switch and want to
> firewall one from another, you can place them in separate
> vlans so they don't have direct connectivity between them,
> place the pf box in both vlans (with an address on each
> subnet) and packets between the vlans follow this path -
> host1->switch->PF->switch->host2
>
> > I am a newbie to certain real world networking concepts
> since I have no hands on experience in network deployments.
>
> Get a couple of old boxes (or even just virtual machines)
> running and try things out. It's the only way to learn.
Stuart,
I have no words to thank you enough. :-)
Appreciate your graciousness,patience and kindness.
I also take this opportunity for thanking everyone else who responded
to my mail.
Most of the cloud in my brain is removed now. The remaining will
disappear the moment I get my hands dirty as Stuart suggested.
Long guys.
regards,
Girish
