netbsd-help: Re: Transparent Firewall w/ NetBSD

Subject: Re: Transparent Firewall w/ NetBSD
To: David Wetzel <dave@turbocat.de>
From: Jon Lindgren <jlindgren@espus.com>
List: netbsd-help
Date: 07/18/2000 09:26:58
On Tue, 18 Jul 2000, David Wetzel wrote:

> > Yeah.  This is a routing configuration.  A bridging configuration will not
> > consume IP addresses... it's similar to an ethernet switch which will
> > filter packets.  Packet comes in, the box realizes that it must be bridged
> > to another segment, and figures "hey, why not throw it through IPFilter,
> > too."  Of course, you can't do NAT in such a situation, but it's a great
> > option for situations where you've got a bunch of static IPs from a
> > provider, and you don't want to do IP filter on n different boxes.
> 
> I do not care about the IP adress. And I run only IP filter on one machine.  
> The one that is connected to the cisco.
> Why should I run IP filter on another machine?

That's the point...  For 1 IP, it's no big deal either way.  It's a
degenerate case.  For 10 IPs, however, it makes a difference.

Imagine I have a dsl line, and my dsl provider gives me 10 static IPs, and
furthermore, the DSL doesn't route IP traffic - it bridges it (this is typical
where I am - every DSL implementation I've seen so far is bridged; even
those which provide ciscos or netopias are actually bridged).

Now, since I have no control over the routes on their network, I can't
implement a BSD box which routes and firewalls; this would require
the provider to use that box as the gateway for my 10 static IP
addresses.  In otherwords, I'm stuck on a flat topology.

Solution: a bridging firewall.

The bridge looks like a regular, run-of-the-mill switch from a layer 1/2
perspective (although, they can generally do great things like spanning
tree, etc...)  Now I have the added value of filtering on it.

Being stuck on a flat network topology, I'd normally have to use IPFilter
on every machine on the network (remember, I can't put my own firewall
there...).  Using bridging firewalls, the IP layer isn't affected (except
for filtering), so IP is none-the-wiser.

See what I mean?

-Jon
 --------------------------------------------------------------------
 "Hey - this old machine screams like a snail on acid!" - (a true
  comment by a fellow who recently installed NetBSD on an old server)