Please correct me if I'm wrong; however, me thinks firewalls in general do not operate at the arp/mac level but rather ip and the next layer (tcp, udp). All the arp/mac stuff takes place at a lower network layer and should not enter the firewall picture at all.
I've never seen any settings for arp/mac stuff in any firewall I've ever used. Plenty of settings for ip and port stuff, though. > -----Original Message----- > From: Ryan Leathers [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 03, 2003 10:12 AM > To: '[EMAIL PROTECTED]' > Subject: [TriLUG] fIREWALL QUESTION > > The big question is: can Linux (firewall/NAT) respond to ARP requests > for addresses not assigned to its own interfaces, then translate (NAT) > the packets that follow ? > > I am looking for a way to replace one of my current firewall products > with a multi-interface Linux box. The goal is to increase my interface > count to 5 and reduce licensing fees. There is a catch... I need to > perform an unusual brand of NAT. I'm not sure if this will work on > Linux. > Requirements: > I have two matching private networks and must static NAT between them. > For example, 10.0.0.1 NATs to 10.0.0.1 > I have a public and a private network and must static NAT between them. > For example, 10.0.0.1 NATs to 68.152.31.1 > I have multiple private networks that must be able to route via the > firewall. For example 172.16.0.0 reaches 172.16.1.0 via 10.0.0.254 > Various rules are needed on each interface. > This all seems very doable to me except for the first requirement I > listed above. What's really going on here is that a number of hosts > that used to be in a private network have been moved to another private > network with the same addressing - which avoided renumbering them. Over > time the new private network has grown and now has quite a large number > of devices. Several hosts on the new private network need to be > accessed from the old private network. The Linux box will need to > respond, in the old network, to the ARPs against these several host > addresses so that packets can be NATed and passed to the hosts in the > new network. Since the address space is the same in both networks this > has to be done by ARP ( I suppose a less desirable approach would be to > use static ARP cache entries where needed ). > Ryan > > > > > > _______________________________________________ TriLUG mailing list http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ: http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
