Re: [leaf-user] multiple port bridging/filtering
Erich Titl wrote: Charles interesting approach do you do any mac based filtering? Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Erich Titl wrote: Charles At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote: Erich Titl wrote: Charles interesting approach do you do any mac based filtering? Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to). Thanks, one more question though, IIRC you can only proxy arp a single address per interface. Definitely not so -- You can have multiple entries in your proxyarp file for the same (pair of) interface(s) and you can also use the proxyarp option in /etc/shorewall/interfaces to use Proxy ARP on ALL hosts attached to an interface. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Tom At 06:36 16.07.2004 -0700, you wrote: Erich Titl wrote: Charles At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote: Erich Titl wrote: Charles interesting approach do you do any mac based filtering? Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to). Thanks, one more question though, IIRC you can only proxy arp a single address per interface. Definitely not so -- You can have multiple entries in your proxyarp file for the same (pair of) interface(s) and you can also use the proxyarp option in /etc/shorewall/interfaces to use Proxy ARP on ALL hosts attached to an interface. Thanks, will go back to the drawing board Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Erich Titl wrote: At 17:11 16.07.2004, Charles Steinkuehler wrote: Erich Titl wrote: Charles At 06:57 16.07.2004 -0500, Charles Steinkuehler wrote: Erich Titl wrote: Charles interesting approach do you do any mac based filtering? Not at the moment...filtering is strictly based on IP (and on the interface a system is connected to). Thanks, one more question though, IIRC you can only proxy arp a single address per interface. Do you have single hosts on these interfaces? Because in my case we will have parts of the entire net being fed off the interfaces. Where did you get that idea? Probably dreamt it... :-( The way I understand proxy arp is that the interface which is the proxy replies to arp requests for the corresponding IP. So I have to enter all addresses of all the other interfaces to each of the interfaces for them to reply to arp requests? Um...it's a lot simpler than I think you're trying to make it. In a nutshell: If 'proxy-arp' is enabled for an interface and the kernel recieves an arp request for an IP address that the kernel would route out a *DIFFERENT* interface than the arp request was recieved on, the kernel 'proxys' the arp request, or answers on behalf of the IP address which would otherwise be unreachable. Now here is my problem with this set up. Two of those separate subnets/branches have a radio interface and another disjunct branch of this net connects to either of them (actually it's a train moving back and forth between two stations). The train nets are of the overall net. I have no control on how the addresses have been assigned to the net and don't know if it is subnettable at all. snip detail I don't really understand exactly how your network is numbered. Suffice it to say if you have fairly static IP allotment (regardless of how haphazard and non-subnettted), you can use either proxy-arp or bridging to connect them (although the more jumbled the IP assignments, the more routing rules required to correctly build the kernel routing table). If your IPs are fairly dynamic (more so than would be possible to track by hand configuration changes or a routing protocol), the use of bridging is probably more appropriate. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Charles At 23:10 16.07.2004, Charles Steinkuehler wrote: Erich Titl wrote: ... The way I understand proxy arp is that the interface which is the proxy replies to arp requests for the corresponding IP. So I have to enter all addresses of all the other interfaces to each of the interfaces for them to reply to arp requests? Um...it's a lot simpler than I think you're trying to make it. In a nutshell: If 'proxy-arp' is enabled for an interface and the kernel recieves an arp request for an IP address that the kernel would route out a *DIFFERENT* interface than the arp request was recieved on, the kernel 'proxys' the arp request, or answers on behalf of the IP address which would otherwise be unreachable. Ah, that's the thing I missed Of course that maks it a lot easier Now here is my problem with this set up. Two of those separate subnets/branches have a radio interface and another disjunct branch of this net connects to either of them (actually it's a train moving back and forth between two stations). The train nets are of the overall net. I have no control on how the addresses have been assigned to the net and don't know if it is subnettable at all. snip detail I don't really understand exactly how your network is numbered. Most of it is fairly static, not necessarily contiguous, the thing I am uncertain about is the moving subnet(s) which may connect on multiple locations of the net. Suffice it to say if you have fairly static IP allotment (regardless of how haphazard and non-subnettted), you can use either proxy-arp or bridging to connect them (although the more jumbled the IP assignments, the more routing rules required to correctly build the kernel routing table). If your IPs are fairly dynamic (more so than would be possible to track by hand configuration changes or a routing protocol), the use of bridging is probably more appropriate. That's what my gut feeling tells me, but your analysis helped a lot. Thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Erich Titl wrote: Hi Folks I have a requirement to bridge multiple ports on a single network and filtering packets between these ports based on mac and/or Ip addresses. Can I do that using ebtables? Does anyone have any experience with such a situation? I don't know about bridging, but you can do what you want with proxy-arp and shorewall. I'm running a 6-port router with 4 ports on the same network (using proxy-arp) and filtered from each other with shorewall. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Charles interesting approach do you do any mac based filtering? At 10:22 15.07.2004 -0500, Charles Steinkuehler wrote: Erich Titl wrote: Hi Folks I have a requirement to bridge multiple ports on a single network and filtering packets between these ports based on mac and/or Ip addresses. Can I do that using ebtables? Does anyone have any experience with such a situation? I don't know about bridging, but you can do what you want with proxy-arp and shorewall. I'm running a 6-port router with 4 ports on the same network (using proxy-arp) and filtered from each other with shorewall. Thanks Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] multiple port bridging/filtering
Charles Steinkuehler wrote: Erich Titl wrote: Hi Folks I have a requirement to bridge multiple ports on a single network and filtering packets between these ports based on mac and/or Ip addresses. Can I do that using ebtables? Does anyone have any experience with such a situation? I don't know about bridging, but you can do what you want with proxy-arp and shorewall. I'm running a 6-port router with 4 ports on the same network (using proxy-arp) and filtered from each other with shorewall. Shorewall also supports bridging -- see http://shorewall.net/bridge.html -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html