Howdy everyone, this is a call for topics for the February’s meeting.
We’re still awaiting Steve’s mystery talk, but I’ve also got something
to talk about if anyone’s interested.
I’d like to talk about using proxy-arp and other goodies under Linux
2.2/2.4 to build pseudo-bridges.
An application of this stems from the following scenario:
I’ve got a small subnet of ISP assigned IP addresses. Two are used
for Internet facing servers, and the last is used for a NAT’ing
firewall gateway.
One of the problems I currently run into is that there’s no centrally
managed way to police/shape/filter/monitor traffic that enters/leaves
that ISP assigned subnet.
Since each of the three machines is directly connected to the
Internet, I’ve got to set up a packet filter on each machine, monitor
each machines link status, usage, etc.
By using proxy-arp, I can build a pseudo-bridge on my firewall/gateway
machine between my router, and other servers/machines on my ISP
assigned subnet.
This pseudo-bridge not only bridges traffic, but also allows for
inspection of any packets passing through it.
While this represents a single point of failure, it also presents the
ability to control and manage traffic to my entire ISP assigned
subnet, because all the traffic passes through this pseudo-bridge.
Unlike a real bridge, network cruft is eliminated and not propogated
without explicit measures to do so.
But, perhaps the best advantage to this setup is that I can police and
shape traffic to my entire ISP assigned network segment in one place.
This technique is also attractive because it doesn’t require much
network reconfiguration.
‘Till the meeting. :)
–
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[toad.enfusion-group.com] up 2:48, 1 user, load average: 0.00