I have a situation where I'm wanting to put a windows box behind a
NetBSD box, but have both appear to be on the same network with their
addresses on the same local network (ie, I do not want to do NAT)
because there are services which are hosted on the Windows box which
need to be visible to clients.

I want to do this because I don't trust Windows an inch and so want to
bridge network traffic over the NetBSD box and filter it with ipf, thus
creating a transparent firewall from the point of view of the Windows
machine, eg:

{ network } ---- [ tlp0  NetBSD  kue0 ] ---- [  Windows  ]

For the moment I'm trying to get this going with my laptop which is
running 1.6ZG (-current as of a few months ago now). According to the
notes in the ipf HOWTO (http://www.obfuscation.org/ipf/) I should be
able to do this reasonably simply by bringing up the bridge0 interface
and applying some filter rules ... trouble is that once the bridge is
running, I don't seem to be able to control the traffic over it with ipf
at all ...

This is how I'm setting up the bridge:

|ifconfig bridge0 create
|brconfig add kue0
|brconfig add tlp0
|ifconfig bridge0 up

note that tlp0 has an IP but kue0 does not. Again, according to the
HOWTO, this sort of setup should work regardless of whether an interface
has an IP or not - in best 'stealth' mode this sort of thing is done
where neither interface has an IP address ...

after playing with it for some time and not getting anywhere, I got
frustrated and tried the following ipf.conf:

|block in all
|block out all

... which as far as I can tell should prevent all traffic from crossing
every network interface, however it doesn't appear to do anything but
cause my laptop to not be able to talk to the network or itself - net
traffic still goes back and forth from the Windows machine without being
blocked at all ...

I have confirmed that I do not have net.inet.ip.forwarding set. I have
also confirmed that I have in fact plugged the Windows machine into the
NetBSD one and not gone directly to the switch ... done that already :)

Has anyone done this sort of thing before? I'm hoping it's doable -
have been itching to try out this sort of thing since I heard about the
possibility from a friend of mine (hi grant!) ... in fact this was one
of the major reasons for me getting into NetBSD in the first place, so
it would be a shame to find that it wasn't up to the task ... :(

Any help would be gratefully received ...

Regards,
Malcolm

-- 
Malcolm Herbert                                    System Administrator
ph [990] 54881 rm 28-241                          School of GeoSciences