[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Quick bridging question

To: Claus <cniesen@gmx.net>
Subject: Re: Quick bridging question
From: Jason Wright <jason@thought.net>
Date: Thu, 1 Mar 2001 17:24:13 -0500
Cc: misc@openbsd.org
Content-Disposition: inline
References: <5.0.1.4.2.20010301100708.00a4f6e0@pop.gmx.de> <20010301163859.A4628@nord-com.net> <F119BNlJbSorxTjtRpe00023076@hotmail.com> <3A9CF4EC.89053D01@syracusenetworks.com> <1214252845.20010301125058@securax.org> <20010301163859.A4628@nord-com.net> <7018442538.20010301164728@securax.org> <5.0.1.4.2.20010301100708.00a4f6e0@pop.gmx.de> <20010301140951.B2992@thought.net> <5.0.1.4.2.20010301144835.00a3f4f0@pop.gmx.de>
User-Agent: Mutt/1.2.5i

On Thu, Mar 01, 2001 at 02:56:44PM -0600, Claus wrote:
> Thanks Jason that help a lot.
> 
> Now I'm wondering what happens if I ssh to the internal interface (A) from 
> my interface, does that leak to the internet.  And what about when I ssh 
> from the internet to my internal interface (A), does that leak to the local 
> lan?
> 
No.  This was a bit of a trick to make it work, but the bridge code
examines incoming frames and those that have a destination address
that is multicast, broadcast, or matches the MAC address of one of
the bridge members, it will be passed down to the IP stack of the
bridge machine and treated as if the bridge was not there.  (Multicast
and broadcast destination packets will -also- be forwarded to all
interfaces by the bridge code).  Bottom line, there is no leakage
from one side to the other when you are talking IP to the bridge
machine itself.

> I'm wondering about this because I found out that ipf.rules such as "block 
> in quick on B from any to any" doesn't have any effect since the 
> connections to the internal interface's IP number appear as if they came 
> from the internal interface instead of the external one.

You're seeing the vestiges of a trick in the bridge.  Say you receive a
packet on (A) with the destination MAC address of (B), the bridge will,
after finding the destination MAC matches (B), make the packet appear
to have come in on (B) for the IP stack's processing.  This trick allows
several things to work with the bridge, and appears to generate least
surprise behavior in many cases.

--Jason L. Wright

Follow-Ups:
- Re: Quick bridging question
  - From: Claus <cniesen@gmx.net>

References:
- Quick bridging question
  - From: Claus <cniesen@gmx.net>
- Re: Re[2]: image of a harddrive
  - From: Jan-Uwe Finck <ju.finck@nord-com.net>
- Re[2]: image of a harddrive
  - From: Tom Van de Wiele <tosh@securax.org>
- Re[4]: image of a harddrive
  - From: Tom Van de Wiele <tosh@securax.org>
- Re: Quick bridging question
  - From: Jason Wright <jason@thought.net>
- Re: Quick bridging question
  - From: Claus <cniesen@gmx.net>

Prev by Date: Re: Somebody successfully running StarOffice 5.2 ?
Next by Date: Re: openbsd's sendmail - how save is it?
Prev by thread: Re: Quick bridging question
Next by thread: Re: Quick bridging question
Index(es):
- Date
- Thread