Firewall Wizards mailing list archives
Re: Layer 2 (stealth) firewalls - PBR?
From: "Darden, Patrick S." <darden () armc org>
Date: Thu, 3 Apr 2008 08:15:27 -0400
Layer 2, unlike IP, is on a flat fabric. There are no routers, no routing protocols, it is bridged. Every point on the fabric knows every other point on the fabric. It is analogous to (in IP) having all your nodes on the same network (e.g. 128.5.5.0/24). Basically, all they do is ARP/RARP. Layer 2 PBR would, of necessity, have to change next hop address (which is destination address) and the next hop would have to change it back to the original. And addresses in layer 2 are MACs (for ethernet that is). There are certain kinda exceptions--proxy ARP/RARP is kinda routing if you extend the meaning of routing, and then you have STP for layer 2 failover, and/or bandwidth, and/or least cost routing of layer 2 frames--but again, this is only if you extend the meaning of routing.... I am treading on unfamiliar ground here, so I will readily admit it if I am wrong. So far, none of us is familiar with layer 2 pbr so we are all using analogies with IP. If anyone has hands-on, now would be a good time to pipe up and tell us how it is, instead of how we think it should be! --Patrick Darden -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Darren Reed Sent: Wednesday, April 02, 2008 5:20 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR? Not necessarily. Layer 3 PBR doesn't change layer 3 addressing, so why would layer 2 PBR change layer 2 addresses? Granted it is hard to conceive of why people would do such a thing, but people tend to want to do crazy things (like connect to the Internet), so I thought I would ask if there were any known, solid, use cases. Darren Darden, Patrick S. wrote:
This would not be Layer 2 PBR. This would be Layer 2 NAT of MACs. E.g. a frame hits the MAC-NAT with a destination MAC of X, and your rule says if X is dest then rewrite the frame so it has dest MAC of Y instead. --p -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Sami Ghourabi Sent: Tuesday, April 01, 2008 11:28 AM To: 'Firewall Wizards Security Mailing List'; 'Firewall Wizards Security Mailing List' Subject: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR? Hi Darren, I had the same question a while ago during a firewall (Juniper Networks one) deployment for a customer. He had a proxy-cache and wanted to make it transparent to its user. I thought to use PBR to redirect internet traffic to the caching box, but it was impossible as the firewall was set as a bridge, the only solution I found was to put the proxy-cache inline. I think it would be useful to have some PBR at layer 2 (or PB Forwarding) for situations like this, where you have to redirect content to caching or inspection engine, perhaps some constructors have already implemented same mechanisms in their firewalls ? Regards, Sami. -----Message d'origine----- De : firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] De la part de Darren Reed Envoyé : mardi 1 avril 2008 05:49 À : Firewall Wizards Security Mailing List Objet : [fw-wiz] Layer 2 (stealth) firewalls - PBR? If I can interrupt the usual questions for some product requirements discovery.... Over in the networking community on OpenSolaris.org, a couple of us are pondering the question of what it means to do policy based routing (PBR) at the ethernet (MAC) layer. For IP, the use case is well understood and people everywhere do it with firewall software, if only to make up for the inadequacies of their routing tables however when it comes to ethernet, we're kind of scratching our heads....so, some questions.... Does running a stealth (bridging) firewall remove the need for PBR? Do people still do strange, quirky, things to packets even when they don't want them to go through IP? If you're using bridging to support your firewall (that still filters packets using IP header information), can you shed some light on why/when you want to send packets out a specific NIC regardless of what the forwarding table for the bridge says? Thanks, Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 01)
- Re: Layer 2 (stealth) firewalls - PBR? Sami Ghourabi (Apr 01)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 02)
- Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 02)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 03)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 03)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Patrick Darden (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 02)
- Re: Layer 2 (stealth) firewalls - PBR? Sami Ghourabi (Apr 01)
- Layer 2 (stealth) firewalls - PBR? iarenaza (Apr 09)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Re: Layer 2 (stealth) firewalls - PBR? lordchariot (Apr 10)
- Message not available
- Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 08)