Linux Journal: Transparent Firewalling

One of the most difficult problems when dealing with a
firewall is that the network or subnetwork we want to protect
usually has to be split into at least two subnetworks: one on the
external side and one on the internal, protected side. This, apart
from the planning stage, can result in the reconfiguration of all
machines in the network to the new configuration.
What is
worse is that in case of a hardware fault of the firewall, you’ll
have to reconfigure all machines in your network so they will be
able to see the outside until you repair the firewall machine. The
configuration of the firewall can be even harder if you don’t have
access to the configuration of the machine that actually connects
your network to the external world, very often a router or
something leased from a telco (telephone company).”

“We are going to explain a smarter way of adding a firewall to
your network without breaking it into subnetworks or reconfiguring
any machine on the internal or external network, except from the
firewall machine itself, by just fooling the other machines into
thinking nothing changed. We will cover the aspects of the network
configuration and packet routing, not real packet-filtering