Linux Journal: Transparent FirewallingOct 23, 1999, 18:43 (1 Talkback[s])
(Other stories by Christian Pellegrin)
"One of the most difficult problems when dealing with a firewall is that the network or subnetwork we want to protect usually has to be split into at least two subnetworks: one on the external side and one on the internal, protected side. This, apart from the planning stage, can result in the reconfiguration of all machines in the network to the new configuration. What is worse is that in case of a hardware fault of the firewall, you'll have to reconfigure all machines in your network so they will be able to see the outside until you repair the firewall machine. The configuration of the firewall can be even harder if you don't have access to the configuration of the machine that actually connects your network to the external world, very often a router or something leased from a telco (telephone company)."
"We are going to explain a smarter way of adding a firewall to your network without breaking it into subnetworks or reconfiguring any machine on the internal or external network, except from the firewall machine itself, by just fooling the other machines into thinking nothing changed. We will cover the aspects of the network configuration and packet routing, not real packet-filtering firewalling..."