At 12:56 PM 7/18/00 -0400, Jon Lindgren wrote:
>On Tue, 18 Jul 2000, David Brownlee wrote:
>
>[snip]
>
> > > (BTW, if I had a choice between bridging, or using NAT, I'd choose to
> > > bridge every time. There are just too many odd protocols not 
> supported by
> > > IPFilter (or most any other NAT implementation). For example H.323, 
> RTSP,
> > > xdmcp.)
> > >
> >       If you are running xdmcp then you probably are not in an
> >       environment that needs a secure filtering box (you might need
> >       one at your border, but then you probably are not running xdmcp
> >       across there).

Sure, that was just an example. I don't actually let xdm (or any X) through 
my firewall (unless its wrapped inside IPSec from an approved source). I'd 
love to get H.323 and RTSP (using UDP transport) through it though.

>Not to mention that a bridge can't really do NAT... if it did, it'd
>need at least one IP to NAT everything behind, at which point it becomes
>an IP firewall/router...

Sure, but the discussion didn't come from the direction of "doing NAT with 
a bridge". A problem was presented, and two very different solutions to the 
problem were put forward, one using bridging (and *not* changing the IP 
addresses) and one using NAT.

BTW, I don't have a choice - I only have one IP address, so I *must* use NAT.

>Who might be prompted [with promises of food, longevity, general hugs and
>kisses] to do such a thing?  I'd do it, but I know that 1) I'd never get
>around to it (slacker), and 2) it'd take me 5x longer than someone who
>knows the code and the flow.
>
>I'd say that adding bridging code would round off NetBSD's networking
>functionality nicely.  I think bridging is the only major networking piece
>that NetBSD does not yet have (be nice - I'm not trolling...)

I wish I could figure out an angle that would turn it into an approved 
project for my employer. Unfortunately, even though I can see a definite 
use for it in a product we sell, our marketing department is addicted to 
Linux hype :-(