On Mon, Sep 23, 2002 at 10:01:30PM +0200, Manuel Bouyer wrote:
> On Mon, Sep 23, 2002 at 08:56:27AM +0100, Simas Mockevicius wrote:
> > in IPF howto writen that in OpenBSD bridge we can filter only incoming 
> > packets, is it suits for NetBSD too ? I mean,
> > if there is no IP addresses on the ethernet cards, only plain bridge ?
> 
> Packets running though the bridge are not filetered at all via ipfiler.

Except where they hit the host's bridge(4) ip address, yes --
packets between other hosts forwarded through the bridge are not
seen by the ip layer and ipfilter.

I have used bridge(4) to provide path redundancy for the host, more
than for emulating a switch.  Each NIC is connected to a different
switch, and there's a crossover elsewhere between the switches.
With appropriate STP settings, one NIC is pruned and the bridge(4)
will never carry traffic between the two external switches, but if
one switch/nic/cable dies the host can use the other to maintain
connectivity.

In that configuration, traffic for the host over the bridge interface
is seen and filtered by ipfilter.

If you want to build a bridging firewall, use the ipfilter "fastroute"
mechanism and arp tricks instead of bridge.

--
Dan.