On Sun, Aug 11, 2002 at 08:26:26AM +0000, Matthias Scheler wrote:

> NetBSD can't do filtering on a bridge. 

Not entirely true - maybe can't filter packets being layer-2 forwarded
by bridge(4), but there are other ways to deal with this issue.

Using ipfilter's "to" mechanism to copy packets back and forth between
interfaces as part of the rules that allow the traffic, together with
some static arp proxy entries so that each side of the ethernet sees
your netbsd box as the addresses on the other side(s) of the
bridge/firewall, should work.  There should be more detailed
descriptions of how to do this in the ipfilter FAQ or list archives.

Note: I've tried this, briefly, in the course of trying to achieve
something slightly different - but I understand others do use this
configuration.

--
Dan.