I'm thinking of deploying a filtering-bridge. Last time I did this was a
few years ago and used the drawbridge package on a DOS machine. In version
3 it seems (drawbridge.tamu.edu) to have made it to FreeBSD. So that's one
possibility.

While I found the drawbridge filtering language fairly easy to use, my
preference would be ipfilter on NetBSD because
  1) it's bundled
  2) it got people working on it
  3) has been written and tested to handle various forms of
     attacks based on fragments, etc.
  4) the language can be used on other network systems

I asked Darren about whether it could be run in a bridge configuration and
he didn't think so. Is there an easy way to do this or has BSD networking
been focussed more on routing interfaces?

cheers,
Danny Thomas

PS one reason for the bridge approach, which I haven't checked in the docs,
is we'd like AppleTalk to pass through. Another reason, is that at least
for now we won't have a replacement bridge, so if there's a problem, the
people just want to be able to bypass it.

Another reason for going for unix, compared to running a DOS-based
(old-version-of) drawbridge, is it comes with lots of drivers. That's why
I'm asking on netbsd-help about 10base-FL cards...

another reason for unix is so we can netramet traffic flow monitoring.
Unfortunately I don't think rfc2063 is supported on many commercial
products, certailnly not our Bay 350F switch (and a switch is where you
want to monitor flows). So the bridge would go off one of the switched
ports.