Em Wed, Mar 07, 2001 at 04:40:38PM +0100, J.R. de Jong escreveu: > I see. On this cluster I want to build we would only use TCP/UDP. I'm just > concerned about if a linux firewall will still forward packets from some > low level protocol even if the input and output chains are put to deny or > reject. > > I'm puzzled by this IT guy saying that switches talk some low level > protocol which would propogate through our firewall and hence 'disturb' > their network. I tend to say that that's nonsense. Isn't it so that the > kernel does not forward packages it does not recognise anyway? Am I > incorrect in assuming that no packages of _ANY_ protocol enter from the > switch into the firewall and propogate to the other network when I put the > default policies on reject/deny and that the switch and the cluster > would be invisible? (The kernel would only be compiled with TCP support). well, lets see the sources: net/core/dev.c netif_rx() is the function drivers use to pass packets received up for processing, routing included, and it just queues the skb for later processing by net_rx_action, that's called by a tasklet in 2.4 and by the net bottom half in 2.2. net_rx_action() ... skipping to the part I think is relevant here ... ok, loop thru the netif_rx queued skbs (network packets) and... #ifdef CONFIG_NET_FASTROUTE is being used, which I think is not the case for you, it just goes on and queues it for tx, hey, this is FAST routing 8), anyway, don't considering FASTROUTE like most people, we reach the point where we try to find if some compiled in or loaded as module protocol stack said that it wants to process packets of this type, possibly routing it if aplicable, and you just compiled TCP/IP... another possibility is if you compiled BRIDGE support, where it would pass the packets to the other net, like your friend says, but you should look at the handle_bridge code to see further details. ARP, for example, is only relevant in the local network, not across networks, AFAIK. So, from what I've been learning so far, no, it'll not pass along unknown packets if you don't configure BRIDGE or FASTROUTE. Please, please, if somebody find a mistake in my code analysys, just call me stup^Wmistaken and share your knowledge with us 8) - Arnaldo - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
