Re: Layer 2 (stealth) firewalls - PBR?

[<lordchariot () embarqmail com>]

If I were to speculate what the meaning of layer2 PBR is in this context,
this is what I would guess. I do this on my home router/firewall to
intercept port 80&443 and send it to a content filtering solution. It's
invisible to wireless network users.

# eth0=internet
# eth1= Wireless LAN (192.168.1.0/24)
# eth2=DMZ where content filter resides (192.168.2.0/24)
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
--set-mark 0x1000
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 443 -j MARK
--set-mark 0x1000
#
# 192.168.2.220=content filter
ip route flush table 100
ip route append 0.0.0.0/0 via 192.168.2.220 table 100
ip rule del pref 500
ip rule add pref 500 fwmark 1000 lookup 100


The filtering solution requires that the original source and destination IP
address remains intact, but the packets are forwarded to the MAC address of
the host 192.168.2.220.


Maybe this is what he means?
-erik

> -----Original Message-----
> From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-
> wizards-bounces () listserv icsalabs com] On Behalf Of Darden, Patrick S.
> Sent: Thursday, April 10, 2008 7:48 AM
> To: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
>
>
> Inaki, what vendor, which switch?  Do you have a URL for us?
> I still wonder: what is layer 2 PBR?  What are its uses?
> How does it function?  Can you give us a good example, or
> point us to a web site/document with a good example?
>
> We've heard a lot of speculation, originated by some people
> who were wondering themselves if such a thing was possible,
> used by anyone, and what uses they were making of it.
>
> So far, you are the only one to answer the original question!
> (other than me speculating that it is not possible, nobody is using it,
> and asking if anyone knows better.)
>
> Glad you spoke up!
> --p
>
>
> -----Original Message-----
> From: firewall-wizards-bounces () listserv icsalabs com
> [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
> Iñaki Arenaza
> Sent: Saturday, April 05, 2008 3:38 PM
> To: firewall-wizards () listserv icsalabs com
> Subject: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
>
>
> > > > > > "Darden," == Darden, Patrick S <darden () armc org> writes:
>
>     Darden,> Layer 2, unlike IP, is on a flat fabric.  There are no
>     Darden,> routers, no routing protocols, it is bridged.  Every
>     Darden,> point on the fabric knows every other point on the
>     Darden,> fabric.
>
> While not expert on the subject, I know of a switch vendor that is
> adding PBR at layer 2 to their gear. They usually deal with some Layer
> 2 protocols (use in special industrial environments), and they want to
> control where those Layer 2 packets go (output port) depending on
> several factors like being unicast/multicast/broadcast, coming/going
> to certain MAC addresses/addresses groups, etc.
>
> So while not widely used, there are people doing 'crazy' stuff like
> that.
>
> Saludos. Iñaki.
>
> --
>   Get PGP/GPG Keys at  http://www.escomposlinux.org/iarenaza/pgpkey.php
>   I use free software / Yo uso software libre
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards