Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- From: "Darden, Patrick S." <darden@xxxxxxxx>
- Date: Tue, 1 Apr 2008 15:48:51 -0400
This would not be Layer 2 PBR. This would be Layer 2 NAT of MACs.
E.g. a frame hits the MAC-NAT with a destination MAC of
X, and your rule says if X is dest then rewrite the frame
so it has dest MAC of Y instead.
--p
-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Sami
Ghourabi
Sent: Tuesday, April 01, 2008 11:28 AM
To: 'Firewall Wizards Security Mailing List'; 'Firewall Wizards Security
Mailing List'
Subject: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
Hi Darren,
I had the same question a while ago during a firewall (Juniper Networks one)
deployment for a customer. He had a proxy-cache and wanted to make it
transparent to its user. I thought to use PBR to redirect internet traffic
to the caching box, but it was impossible as the firewall was set as a
bridge, the only solution I found was to put the proxy-cache inline.
I think it would be useful to have some PBR at layer 2 (or PB Forwarding)
for situations like this, where you have to redirect content to caching or
inspection engine, perhaps some constructors have already implemented same
mechanisms in their firewalls ?
Regards,
Sami.
-----Message d'origine-----
De : firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] De la part de Darren
Reed
Envoyé : mardi 1 avril 2008 05:49
À : Firewall Wizards Security Mailing List
Objet : [fw-wiz] Layer 2 (stealth) firewalls - PBR?
If I can interrupt the usual questions for some product requirements
discovery....
Over in the networking community on OpenSolaris.org, a couple of
us are pondering the question of what it means to do policy based
routing (PBR) at the ethernet (MAC) layer.
For IP, the use case is well understood and people everywhere do
it with firewall software, if only to make up for the inadequacies of
their routing tables however when it comes to ethernet, we're kind
of scratching our heads....so, some questions....
Does running a stealth (bridging) firewall remove the need for PBR?
Do people still do strange, quirky, things to packets even when they
don't want them to go through IP?
If you're using bridging to support your firewall (that still filters
packets using IP header information), can you shed some light on
why/when you want to send packets out a specific NIC regardless
of what the forwarding table for the bridge says?
Thanks,
Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- From: Darren Reed
- Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- References:
- Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- From: Sami Ghourabi
- Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- Prev by Date: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- Next by Date: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- Previous by thread: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- Next by thread: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?
- Index(es):
Relevant Pages
|
