On Sun, Aug 11, 2002 at 08:26:26AM +0000, Matthias Scheler wrote:
> NetBSD can't do filtering on a bridge.

While that's true I'm not sure bridge* is the best way to handle this.
IIUC you can use a bijective 1:1 NAT mapping (so it's not realy NAT, because
there is no translation) with ipnat/ipf to map the /28 from one interface
to another and apply ipf filtering rules in between. I may have misunderstood
this though, and it makes it hard to run services on the filtering box (which
is a bad idea anyway in this situation).

I'd try to make them drop the "don't want NAT" part and use NAT and ipf RDR
rules to setup a classic firewall/DMZ thing (with a second filter/NAT between
DMZ and internal network)

Martin