Subject: Re: NetBSD as a bridge/firewall
To: Matthias Scheler <email@example.com>
From: Martin Husemann <firstname.lastname@example.org>
Date: 08/17/2002 11:08:10
On Sun, Aug 11, 2002 at 08:26:26AM +0000, Matthias Scheler wrote:
> NetBSD can't do filtering on a bridge.
While that's true I'm not sure bridge* is the best way to handle this.
IIUC you can use a bijective 1:1 NAT mapping (so it's not realy NAT, because
there is no translation) with ipnat/ipf to map the /28 from one interface
to another and apply ipf filtering rules in between. I may have misunderstood
this though, and it makes it hard to run services on the filtering box (which
is a bad idea anyway in this situation).
I'd try to make them drop the "don't want NAT" part and use NAT and ipf RDR
rules to setup a classic firewall/DMZ thing (with a second filter/NAT between
DMZ and internal network)