[H-GEN] Back to the invisable subnet

[The memory remains]

	Hey there.

	Now that I've done a bit more research, and have had alot 
explained to me by a prominant humbug member in person I belive I can 
refine my original invisable subnet question:

	Ok.  I have a class C subnet with real internet ips.

	I need to firewall -some- of the subnet, but not all of it.  ie, 
I want a computer physically seperating the two groups, and passing data 
back and forth after checks to firewall rules.  It would be nice if this 
computer was "invisable" to my side of the subnet, while it is -essential- 
that it be "invisable" to the other side of the subnet.

Here is a kinda rough diagram:

internet           eth0     eth1
<-------x.x.x.1------x.x.x.129-----x.x.x.130 etc...
           |                       (inner)
  (outer)  |
        x.x.x.2 etc...

        Where 129 is the machine I'm inserting.  Of course, I made these 
numbers up, but they resemble pretty closely the real thing.  A note to 
those thinking of trying to break in:  Hopefully the true weebles have 
been bored to tears by this point and won't try it.  Those with a little 
skill should realise that this network is far too trivial to attack to be 
worth their bother.

	Anyway, once a packet gets to the invisable firewall (x.x.x.129) 
it's easy enough to use routing rules to deliver the packet safely, if it 
doesn't break the firewall rules.

	The trick is to make sure the packets are recieved.  What would 
be -really- cool is if I could coerce 129 to respond to arp requests from 
the outer net and destined for computers on the inner net with it's own 
hardware address.  Conversely, it should respond to arp requests from the 
inner net with it's own also.

	In the mean-time it can't allow it's own arp table to get 
confused as to where the packets go.

	Does anyone know if this is easy/possible with current software, 
or whether kernel hacking is required?  I'd rather not go to kernel 
hacking since the only experience I have with it is a brief chatter with 
ne.c, the ne2000 driver.  All I did then was add a clause to an if 
statement to ensure that it never detected a true ne2000 on port 0x320.  
<grin>  I even got that wrong the first time!

	If anyone can help me it would be -much- appreciated.  I'm 
learning to swim quickly, but I'm still a fair league out of my depth.

        The memory remains <memory at techie.com>

            ///      ///  ///  ///            ///   ///
           /// ///  ///  ///   ///  ///  ///      ///
          ///            //   ///               ///
         /// ///  ///       ///   ////////    ///
        ///      ///    /////               ///

        Web page at http://student.uq.edu.au/~s335810

----------------------- HUMBUG General List --------------------------------
echo "unsubscribe general" | mail majordomo at humbug.org.au # To Unsubscribe