Date: Mon, 5 Feb 2001 11:36:59 -0800 (PST) From: Rich Wales <richw@webcom.com> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: netgraph router? (was Re: BRIDGE breaks ARP?) Message-ID: <20010205191633.48479.richw@wyattearp.stanford.edu> In-Reply-To: <3A7EE540.AA3A1AF0@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote:
> some people run a bridge between two ethernet segments,
> but give them different IP netranges, . . .
I suppose I could do this, provided I could specify a more-or-less
arbitrary range or set of IP addresses for each segment. I can't
do conventional IP subnetting (one subnet for each segment), because
this approach takes up too many addresses for overhead (two addresses
for the bridge, plus wasted addresses with "all zeroes" and "all ones"
in the low-order host bits, and my DSL service only gives me five IP
addresses to play with as it is).
> so how does bridging help?
By allowing my desktop machine to use a publicly accessible Internet
address, even though there is a firewall between it and the outside.
My current bridge setup, in conjunction with IPFIREWALL, already does
=almost= everything I need. The biggest problem I'm having right now
is with ARP replies from (=not= through) the bridge box itself -- and
I assume that will eventually get fixed, and I can work around that
bug with an "arp -s" command until it is fixed. I'd also prefer being
able to filter (and, potentially, block) ARP packets going through the
bridge, but that feature isn't crucial for me, and I can live without
it if necessary.
> In fact, it is possible you could run both the 10.x.x.x. net
> and the 'real' net on the same interface/cable and use the
> firewall to NAT them as well . . . .
As long as I don't have to depend on NAT for access to my desktop.
As I explained earlier, I need to access some services from my
desktop (Kerberos-based authentication and encryption stuff) that
demand a straight end-to-end connection (no NAT, web proxies, etc.).
Getting back to my original question, though, I need some help under-
standing how I can =filter= IP packets going through a "netgraph"
bridge -- that is, allow or block packets or streams based on things
like the source and destination IP addresses, TCP/UDP port numbers,
etc. -- the kind of thing which IPFIREWALL and IPFILTER can do, and
which I (possibly mis?)understood that NETGRAPH cannot currently do.
I thought you were saying that there was in fact a way to do this sort
of filtering on a netgraph bridge. If not, then the netgraph facility
won't help me any. Sorry if I misunderstood your earlier message, or
if you misunderstood my requirements.
Rich Wales richw@webcom.com http://www.webcom.com/richw/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010205191633.48479.richw>