On Wed, Mar 07, 2001 at 09:10:49AM -0800, Stephen Satchell wrote: > At 02:34 PM 3/7/01 +0100, J.R. de Jong wrote: > >I've got a question concerning firewalling. ICMP, UDP and TCP can be > >filtered out with ipchains/iptables, but what about IPX, ARP, netbios and > >such? To make my question more clear let me explain what I want. > > ARP does not propagate across network segments. I never enable IPX in my unless you bridge or proxyarp, but in that case its deliberate :] > >We have a network connected to the internet. Inside this network I want to > >put a firewall. This firewall has two network adapters each with a > >different network. The first is connected to the network and the other is > >connected to a switch. On this switch we have a (beowulf) cluster of > >machines. > > So you have Internet <-> campus network <-> firewall <-> Beowulf cluster > with switch > > >Now, if I disable IP forwarding and make the firewall airtight in the > >sense that I use ipchains to deny any traffic between the networks does > >anything low level from the switch or whatever still propogate to the > >other network? AFAIK ipchains will only filter IP traffic. you can use --proto to pick out/block "subprotocols" in IP (like TCP, UDP, ICMP, IGMP and others), but it doesn't extend beyond IP. i think there was a posting recently on linux-kernel from someone working on MAC-level filtering. if i can dig up an archive url i will post it here. > >Our IT people are against this setup and want to maintain the switch > >themselves (which means it should be accesible to them) for the reason > >that, as they say, it is still possible that this switch can cause hickups > >in their network. > > Then they don't understand firewalls, period. If the IP addresses you use > inside the firewall aren't routable (like net 10, the network I usually use 10/8 is perfectly routeable. most (no, unfortunately not all) internet routers just drop it however. > computer, in either direction. Indeed, your IT people won't be able to > affect the Beowulf cluster, the result I believe you desire. isn't this every non-IT person's dream ? ;D j. -- all your base are belong to us! - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
