Date: Sun, 11 Feb 2001 01:18:29 +0100 From: Bernd Luevelsmeyer <bdluevel@heitec.net> To: "Raymundo M. Vega" <RaymundoVega@home.com> Cc: freebsd-questions@FreeBSD.ORG, Julian Zottl <julianz@vsl.cua.edu> Subject: Re: Bridging and routing problem... Message-ID: <3A85DA55.10AF0B88@heitec.net> References: <200102081626.LAA77762@gateway.vsl.cua.edu> <3A82FEA4.3666D366@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Raymundo M. Vega wrote:
[...]
> Rather than answer if bridging is better for your
> network, I like to point thet you will have better
> control in the firewall if you use it as a gateway.
The packets must go through the firewall whether they are bridged or
routed, so the firewall rules apply in both cases. IMHO there's no
difference in the amount of control.
> This is in man bridge:
>
> Set to 1 to enable ipfw filtering on bridged packets. Note that ipfw
> rules only apply to IP packets. Non-IP packets are subject to the de-
> fault ipfw rule (number 65535) which must be an allow rule if we want ARP
> and other non-IP packets to flow through the bridge.
To let ARP through, there's
${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0
(stolen from /usr/src/etc/rc.firewall) to allow this, so a default
'deny' rule is possible with a bridge, unless you have other non-IP
protocols.
> If you use it as a gateway, you can filter TCP/UDP packets as well.
You can certainly filter both TCP and UDP with a bridge.
Greetings,
Bernd
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A85DA55.10AF0B88>