Peter Memishian wrote:
> another requirement might be to not only filter non-IP protocols, but to
> filter any protocol (even IP) at a lower layer in the stack. this would
> allow someone to deploy a filtering system that doesn't necessarily have
> any IP interfaces configured (such as a layer-2 bridge that also does
> layer-3 and above filtering, aka a transparent firewall).
IIRC, SunScreen used to have this feature.
Yes, it was called "Stealth Mode". The original SPF-100 and SPF-200
products only operated in this mode. The newer versions gave the option
of IP-only bump in the stack STREAMS module or stealth mode. Stealth
mode allowed network segregation at the IP level, as well as a state
engine to filter non-IP traffic and create custom rules at that level.
In stealth mode, the filtering interfaces would not be plumbed up.
The SunScreen 3.2 Administrator's Overview at docs.sun.com explains the
high level concepts in more detail.
Also, infodoc 17258 on SunSolve, available publicly at:
http://sunsolve.sun.com/search/document.do?assetkey=1-9-17258-1
explains in good detail how the discriminator in the "ether" state
engine is used as a filter and its basic capability.
This concept could be expanded upon to not only filter on ether type,
but also at the protocol level, as others have mentioned.
-Paul
_______________________________________________
networking-discuss mailing list
[email protected]
