Firewall Wizards mailing list archives
Re: Layer 2 (stealth) firewalls - PBR?
From: <lordchariot () embarqmail com>
Date: Thu, 10 Apr 2008 17:12:01 -0400
If I were to speculate what the meaning of layer2 PBR is in this context, this is what I would guess. I do this on my home router/firewall to intercept port 80&443 and send it to a content filtering solution. It's invisible to wireless network users. # eth0=internet # eth1= Wireless LAN (192.168.1.0/24) # eth2=DMZ where content filter resides (192.168.2.0/24) iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 0x1000 iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 443 -j MARK --set-mark 0x1000 # # 192.168.2.220=content filter ip route flush table 100 ip route append 0.0.0.0/0 via 192.168.2.220 table 100 ip rule del pref 500 ip rule add pref 500 fwmark 1000 lookup 100 The filtering solution requires that the original source and destination IP address remains intact, but the packets are forwarded to the MAC address of the host 192.168.2.220. Maybe this is what he means? -erik
-----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall- wizards-bounces () listserv icsalabs com] On Behalf Of Darden, Patrick S. Sent: Thursday, April 10, 2008 7:48 AM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR? Inaki, what vendor, which switch? Do you have a URL for us? I still wonder: what is layer 2 PBR? What are its uses? How does it function? Can you give us a good example, or point us to a web site/document with a good example? We've heard a lot of speculation, originated by some people who were wondering themselves if such a thing was possible, used by anyone, and what uses they were making of it. So far, you are the only one to answer the original question! (other than me speculating that it is not possible, nobody is using it, and asking if anyone knows better.) Glad you spoke up! --p -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Iñaki Arenaza Sent: Saturday, April 05, 2008 3:38 PM To: firewall-wizards () listserv icsalabs com Subject: [fw-wiz] Layer 2 (stealth) firewalls - PBR?"Darden," == Darden, Patrick S <darden () armc org> writes:Darden,> Layer 2, unlike IP, is on a flat fabric. There are no Darden,> routers, no routing protocols, it is bridged. Every Darden,> point on the fabric knows every other point on the Darden,> fabric. While not expert on the subject, I know of a switch vendor that is adding PBR at layer 2 to their gear. They usually deal with some Layer 2 protocols (use in special industrial environments), and they want to control where those Layer 2 packets go (output port) depending on several factors like being unicast/multicast/broadcast, coming/going to certain MAC addresses/addresses groups, etc. So while not widely used, there are people doing 'crazy' stuff like that. Saludos. Iñaki. -- Get PGP/GPG Keys at http://www.escomposlinux.org/iarenaza/pgpkey.php I use free software / Yo uso software libre _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Layer 2 (stealth) firewalls - PBR?, (continued)
- Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 02)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 03)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 03)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Patrick Darden (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Layer 2 (stealth) firewalls - PBR? iarenaza (Apr 09)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Re: Layer 2 (stealth) firewalls - PBR? lordchariot (Apr 10)
- Message not available
- Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 08)