Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?

I'm going (to try) to address your questions inside your email below.
I'll use -- at the beginning of my responses.

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of
Darren Reed
Sent: Monday, March 31, 2008 11:49 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Layer 2 (stealth) firewalls - PBR?

If I can interrupt the usual questions for some product requirements

--Sure, no problem.

Over in the networking community on, a couple of
us are pondering the question of what it means to do policy based
routing (PBR) at the ethernet (MAC) layer.


For IP, the use case is well understood and people everywhere do
it with firewall software, if only to make up for the inadequacies of
their routing tables however when it comes to ethernet, we're kind
of scratching our, some questions....

--I'm scratching my head at this point as well.

Does running a stealth (bridging) firewall remove the need for PBR?

--Bridging Firewall, afaik, is a really fancy term for "switch". A piece
of equipment that sits between two different network segments and
determines traffic flow between them based on destination MACs... is
a switch. Even if it does, for example, disallow certain MACs based
on arbitrary rulesets (e.g. no traffic to HP MACs can cross, thereby
keeping finance from using marketing's printers and vice-versa) it
is still just a switch using a fancy name, n'est-ce pas?

--I am not sure what you could do with advanced PBR functionality
at the ethernet level that is not already incorporated via other
methods. E.g. multi-link mesh networks are handled by Spanning Tree
Protocol.... Is there a specific situation or situations you want
or need to address?

Do people still do strange, quirky, things to packets even when they
don't want them to go through IP?

--Yes. People do the craziest things with packets. Not sure what
you mean in context though!

If you're using bridging to support your firewall (that still filters
packets using IP header information), can you shed some light on
why/when you want to send packets out a specific NIC regardless
of what the forwarding table for the bridge says?

--Ah, I can pose a situation or two that might fit the context,
albeit due to lack of imagination, not very well.

--(Straw Man 1) you have a server with two NICs. A 1Gb NIC and a
10Mb NIC, and both of them are on the same IP network and go to
the same segment. The 10Mb was installed first, back in the day,
and it has an IP of The 1Gb was installed last week
with an IP of Standard IP routing calls for the
numerically lower IP to handle all traffic under normal conditions.
However, you obviously want your traffic to use the faster link.
Now, your server is ancient and has no routing protocols in it.
But, through laborious insanity, you manage to install whatever
it takes to get Layer 2 PBR working. Now you are set! It might
have been easier to just install RIP or upgrade the OS to something
modern, or just swap IP addresses on the NICs, however.

--(Straw Man 2) Crazy security feature: you set up your network
so that the switches have an incorrect ARP table--On Purpose, so
if anyone attaches a PC, Mobile, HHPC, etc. they will be unable to
get anywhere using the advertised ARP. Meanwhile, you have a
transparent Bridging Firewall make the necessary changes to ensure
that approved MACs' traffic gets to where it needs to go. Fiendish,
and very difficult to administrate. And if you ever left, it would
drive the next Network Admin absolutely bonkers.

--(Straw Man 3) you might want all traffic echoed out one interface
so you can attach an IDS to it (or all vlan X traffic, or etc.).
Most switches include this functionality already however.


--No problem. Not sure if I was able to help. Interesting!
--Patrick Darden

firewall-wizards mailing list
firewall-wizards mailing list

Relevant Pages

  • Re: need help re. office network install
    ... > and their network is a mess, the result of years of neglect. ... they have a gateway server w/ no special ... > firewall rules on it, they have a large DMZ that serves no purpose ... install anymore software on the firewall machine than is absolutely ...
  • Re: RWW 403 forbidden error
    ... I JUST SO WISH AV suppliers would leave my freakin network alone. ... I don't use their firewall services. ... Install and run a scan with the SBS 2003 BPA: ... Virtual Website Directory Security; what I have is exactly as you ...
  • Re: XP Update kills network
    ... There's no firewall Enabled? ... The updates by themselves are not killing the network, rather, the issue is occurring in conjunction with an outdated NSW and the attempt to update. ... you can set Automatic Updates to " Download updates for me but let me choose when to install them " to avoid the reinstallation of the problematic update ... ...
  • Re: Can anyone tell me how this trojan horse program got thru my
    ... >Go there, downalod, install, update and scan ur system for trojans. ... >download of the program that allows you to disable it. ... >Want a good firewall that is really simple to operate and incredibly ... >would-be intruders are prevented from viewing and accessing your network. ...
  • Re: network
    ... Sharing is not enabled on either machine. ... no show up under Network unless I enable File Sharing on the eMac (but I ... through your router/firewall to individual Macs, ... I prefer to have one firewall running - on my hardware ...