Re: 3 nics - 1 bridge - 2 ips - bad?

From: Joseph Gleason (freebsd@fireduck.com)
Date: 06/27/01 

From: "Joseph Gleason" <freebsd@fireduck.com>
To: <anderson@centtech.com>, <freebsd-security@FreeBSD.ORG>
Date: Wed, 27 Jun 2001 13:12:10 -0400

I think you might have a problem with the bridging.

I'm not sure if you can bridge xl0 and xl1 without including xl2. I could
be wrong
And you might be able to pull something off with IPFW rules to exclude xl2
from the bridging, but I wouldn't trust it.

What you want certainly looks like two separate and possibly incompatible
tasks. My advise would be have two machines do this if at all possible.
Machine one being your ethernet bridge. Machine two being the gateway to
your protected network.

----- Original Message -----
From: "Eric Anderson" <anderson@centtech.com>
To: <freebsd-security@FreeBSD.ORG>
Sent: Wednesday, June 27, 2001 12:46
Subject: 3 nics - 1 bridge - 2 ips - bad?

> Lets say I have 3 NIC's in a machine running FreeBSD 4.2.
> Is it possible to have this sort of configuration:
> xl0 - 200.200.200.200 - [interface 1 of bridge0]
> xl1 - NO IP - [interface 2 of bridge0]
> xl2 - 192.168.10.10 - not part of any bridge
>
> the 200.200.200.200 number is of course made up, but signifies an
> interface on the unprotected net. The 192.168.10.10 interface is also
> made up, showing an interface on the protected internal net. Now, the
> xl1 interface is bridged to xl0, creating a port for passing thru to the
> unprotected net that xl0 is on. Is there any inherent security flaws in
> this configuration (besides having a possible computer plug into the xl1
> port and not being behind a firewall), assuming it works at all?
>
> Thanks in advance..
>
> Eric
>
>
>
> --
> --------------------------------------------------------------------------
-----
> Eric Anderson anderson@centtech.com Centaur Technology (512)
> 418-5792
> For every complex problem, there is a solution that is simple, neat, and
> wrong.
> --------------------------------------------------------------------------
-----
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: bridging to lans
    ... > I would like to bridge two lans maintaining the same subnet. ... If you need an IP address from that segment on each Router, ... define the bridging method ... Put the desired interface into the bridge group - ...
    (comp.dcom.sys.cisco)
  • Re: 3 nics - 1 bridge - 2 ips - bad?
    ... anyway to only enable 2 out of 3 interfaces for bridging. ... >> interface on the unprotected net. ... >> For every complex problem, there is a solution that is simple, neat, and ...
    (FreeBSD-Security)
  • Re: High performance IDS/Firewall
    ... I will place the IDS on the outside bridge ... > interface and apply IPFW rules on the system as needed. ... Bridging works fine, but it seems that statefull rules needs a high ... - while bridgesays that non IP packets are transmitted without ...
    (freebsd-performance)
  • Re: bridge issues with pf rules on OpenBSD/Sparc
    ... confused as to which physical interface traffic goes in and out on ... for the bridge, I was hoping to have the bridge tell it. ... >> router always appears to match rules for le2 outbound traffic from ... I want to be functional between the LAN and AP. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Paketfiler als Bridge (was: Stealth Gateway)
    ... >>der Hauptnachteil eines solchen Paketfilters. ... Eine Ethernet Bridge nimmt alle Ethernetpakete auf einem Interface ...
    (de.comp.security.firewall)