Re: [leaf-user] multiple port bridging/filtering

2004-07-16 Thread Charles Steinkuehler 
Erich Titl wrote:
Charles
interesting approach do you do any mac based filtering?
Not at the moment...filtering is strictly based on IP (and on the 
interface a system is connected to).

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

2004-07-16 Thread Tom Eastep 
Erich Titl wrote:
Charles
At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote:
Erich Titl wrote:
Charles
interesting approach do you do any mac based filtering?
Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to).

Thanks, one more question though, IIRC you can only proxy arp a single address per interface.
Definitely not so -- You can have multiple entries in your proxyarp file 
for the same (pair of) interface(s) and you can also use the proxyarp 
option in /etc/shorewall/interfaces to use Proxy ARP on ALL hosts 
attached to an interface.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

2004-07-16 Thread Erich Titl 
Tom

At 06:36 16.07.2004 -0700, you wrote:
Erich Titl wrote:
Charles
At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote:

Erich Titl wrote:

Charles
interesting approach do you do any mac based filtering?

Not at the moment...filtering is strictly based on IP (and on the interface a 
system is connected to).

Thanks, one more question though, IIRC you can only proxy arp a single address per 
interface.

Definitely not so -- You can have multiple entries in your proxyarp file for the same 
(pair of) interface(s) and you can also use the proxyarp option in 
/etc/shorewall/interfaces to use Proxy ARP on ALL hosts attached to an interface.

Thanks, will go back to the drawing board

Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

2004-07-16 Thread Charles Steinkuehler 
Erich Titl wrote:
At 17:11 16.07.2004, Charles Steinkuehler wrote:
Erich Titl wrote:
Charles
At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote:
Erich Titl wrote:
Charles
interesting approach do you do any mac based filtering?
Not at the moment...filtering is strictly based on IP (and on the 
interface a system is connected to).
Thanks, one more question though, IIRC you can only proxy arp a single 
address per interface. Do you have single hosts on these interfaces? 
Because in my case we will have parts of the entire net being fed off the 
interfaces.
Where did you get that idea?
Probably dreamt it... :-(
The way I understand proxy arp is that the interface which is the proxy 
replies to arp requests for the corresponding IP.
So I have to enter all addresses of all the other interfaces to each of the 
interfaces for them to reply to arp requests?
Um...it's a lot simpler than I think you're trying to make it.  In a 
nutshell:

If 'proxy-arp' is enabled for an interface and the kernel recieves an 
arp request for an IP address that the kernel would route out a 
*DIFFERENT* interface than the arp request was recieved on, the kernel 
'proxys' the arp request, or answers on behalf of the IP address which 
would otherwise be unreachable.

Now here is my problem with this set up. Two of those separate 
subnets/branches have a radio interface and another disjunct branch of this 
net connects to either of them (actually it's a train moving back and forth 
between two stations). The train nets are of the overall net. I have no 
control on how the addresses have been assigned to the net and don't know 
if it is subnettable at all.
snip detail
I don't really understand exactly how your network is numbered.
Suffice it to say if you have fairly static IP allotment (regardless of 
how haphazard and non-subnettted), you can use either proxy-arp or 
bridging to connect them (although the more jumbled the IP assignments, 
the more routing rules required to correctly build the kernel routing 
table).

If your IPs are fairly dynamic (more so than would be possible to track 
by hand configuration changes or a routing protocol), the use of 
bridging is probably more appropriate.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

2004-07-16 Thread Erich Titl 
Charles
At 23:10 16.07.2004, Charles Steinkuehler wrote:
Erich Titl wrote:
...
The way I understand proxy arp is that the interface which is the proxy 
replies to arp requests for the corresponding IP.
So I have to enter all addresses of all the other interfaces to each of 
the interfaces for them to reply to arp requests?
Um...it's a lot simpler than I think you're trying to make it.  In a nutshell:
If 'proxy-arp' is enabled for an interface and the kernel recieves an arp 
request for an IP address that the kernel would route out a *DIFFERENT* 
interface than the arp request was recieved on, the kernel 'proxys' the 
arp request, or answers on behalf of the IP address which would otherwise 
be unreachable.
Ah, that's the thing I missed Of course that maks it a lot easier

Now here is my problem with this set up. Two of those separate 
subnets/branches have a radio interface and another disjunct branch of 
this net connects to either of them (actually it's a train moving back 
and forth between two stations). The train nets are of the overall net. I 
have no control on how the addresses have been assigned to the net and 
don't know if it is subnettable at all.
snip detail
I don't really understand exactly how your network is numbered.
Most of it is fairly static, not necessarily contiguous, the thing I am 
uncertain about is the moving subnet(s) which may connect on multiple 
locations of the net.


Suffice it to say if you have fairly static IP allotment (regardless of 
how haphazard and non-subnettted), you can use either proxy-arp or 
bridging to connect them (although the more jumbled the IP assignments, 
the more routing rules required to correctly build the kernel routing table).

If your IPs are fairly dynamic (more so than would be possible to track by 
hand configuration changes or a routing protocol), the use of bridging is 
probably more appropriate.
That's what my gut feeling tells me, but your analysis helped a lot.
Thanks
Erich
THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] multiple port bridging/filtering

2004-07-15 Thread Erich Titl 
Hi Folks

I have a requirement to bridge multiple ports on a single network and filtering 
packets between these ports based on mac and/or Ip addresses. Can I do that using 
ebtables? Does anyone have any experience with such a situation?

Thanks
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

2004-07-15 Thread Charles Steinkuehler 
Erich Titl wrote:
Hi Folks
I have a requirement to bridge multiple ports on a single network and filtering packets between these ports based on mac and/or Ip addresses. Can I do that using ebtables? Does anyone have any experience with such a situation?
I don't know about bridging, but you can do what you want with proxy-arp 
and shorewall.  I'm running a 6-port router with 4 ports on the same 
network (using proxy-arp) and filtered from each other with shorewall.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

2004-07-15 Thread Erich Titl 
Charles

interesting approach do you do any mac based filtering?

At 10:22 15.07.2004 -0500, Charles Steinkuehler wrote:
Erich Titl wrote:

Hi Folks
I have a requirement to bridge multiple ports on a single network and filtering 
packets between these ports based on mac and/or Ip addresses. Can I do that using 
ebtables? Does anyone have any experience with such a situation?

I don't know about bridging, but you can do what you want with proxy-arp and 
shorewall.  I'm running a 6-port router with 4 ports on the same network (using 
proxy-arp) and filtered from each other with shorewall.

Thanks
Erich

THINK 
Püntenstrasse 39 
8143 Stallikon 
mailto:[EMAIL PROTECTED] 
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] multiple port bridging/filtering

2004-07-15 Thread Tom Eastep 
Charles Steinkuehler wrote:
Erich Titl wrote:
Hi Folks
I have a requirement to bridge multiple ports on a single network and 
filtering packets between these ports based on mac and/or Ip 
addresses. Can I do that using ebtables? Does anyone have any 
experience with such a situation?

I don't know about bridging, but you can do what you want with proxy-arp 
and shorewall.  I'm running a 6-port router with 4 ports on the same 
network (using proxy-arp) and filtered from each other with shorewall.

Shorewall also supports bridging -- see http://shorewall.net/bridge.html
-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html