[plug] IP Chains

Christian christian at global.net.au
Thu Dec 23 10:20:18 WST 1999


Bret Busby wrote:
> My understanding (which may be totally wrong), is that ipchains involves IP
> masquerading, and takes care of the firewalling security stuff.

More or less right.

> I do not understand why a firewall on a mchine that connects to an ISP using
> dialup, needs a routing application such as ip forwarding.

It's not a "routing application" as such.  It's not involved in routing
protocols (ie, exchange of routing information for dynamic configuration
of routing tables) but rather in the actual routing of the packets
themselves.

> Christian said in his response, that IP forwarding is forwarding of IP packets;
> but I understood that was what the machine did, anyway, if it used TCP/IP for
> communication.

It doesn't do it by default -- there is no need on most machines.

> I realise that I probably appear to have no understanding whatsoever, or that
> what I understand is incorrect, but, could someone please explain the role of
> each?

Ok, if a machine on a LAN receives an IP datagram then the datagram has
usually been addressed to it.  The exception being if the station is
acting as a router in which case it has received the packet because it
needs to forward the packet on to a machine on a different network
(remember all machines on the local ethernet are directly accessible
simply through their MAC address).  If the machine receives a datagram
not addressed to it and it has not been instructed to FORWARD the
datagram on to another network then it will discard it (believing that
an error has occurred).  If it receives the datagram and it looks at the
address and knows how to reach that network then it will forward the
datagram to that network but only if IP forwarding has been enabled. 
That is why a machine doing NAT needs IP forwarding enabled, do you see?

Regards,

Christian.


More information about the plug mailing list