* Ranjeet Shetye (ranjeet.shetye@zultys.com) wrote: > I think I got it right :D. Unfortunately not quite. > Hence when you downsize your (layer 3) router into a (layer 2) bridge, > your neo-bridge becomes a layer 2 entity and disappears from the layer 3 > i.e. it is no longer visible at layer 3. Therefore no firewalling, no > NAT. See, this isn't entirely correct. A bridge passes around ethernet frames, yes, *but* that does *NOT* mean that it can't modify those frames. It can, in fact, modify those frames for NATing purposes. It can also do full state-based firewalling by watching the frames go by and doing exactly what netfilter does today. There's also an eptables or some such out there for filtering based on raw ethernet frames but basically everything in iptables will work too with the right patches. The only thing that won't is MASQ because your ethernet interfaces don't have an IP address for MASQ to use, *however*, you *CAN* to SNAT/DNAT/etc. Stephen
Attachment:
pgp00238.pgp
Description: PGP signature
