Re: 3 nics - 1 bridge - 2 ips - bad?

From: Joseph Gleason (clash@fireduck.com)
Date: 06/27/01


From: "Joseph Gleason" <clash@fireduck.com>
To: <anderson@centtech.com>, "Joseph Gleason" <freebsd@fireduck.com>
Date: Wed, 27 Jun 2001 13:31:26 -0400

I was wrong! Don't listen to my lies!

I am told that bridging can indeed be enabled and disabled per port via some
sysctl call.

With bridge compiled into the kernel:

sysctl -A |grep bridge should give you the approriate parameter to play
with.

----- Original Message -----
From: "Eric Anderson" <anderson@centtech.com>
To: "Joseph Gleason" <freebsd@fireduck.com>
Cc: <freebsd-security@FreeBSD.ORG>
Sent: Wednesday, June 27, 2001 13:28
Subject: Re: 3 nics - 1 bridge - 2 ips - bad?

> Thanks for the response.. I think you're correct here, I don't see
> anyway to only enable 2 out of 3 interfaces for bridging. Darn. Oh
> well, thanks!
>
>
>
> Joseph Gleason wrote:
> >
> > I think you might have a problem with the bridging.
> >
> > I'm not sure if you can bridge xl0 and xl1 without including xl2. I
could
> > be wrong
> > And you might be able to pull something off with IPFW rules to exclude
xl2
> > from the bridging, but I wouldn't trust it.
> >
> > What you want certainly looks like two separate and possibly
incompatible
> > tasks. My advise would be have two machines do this if at all possible.
> > Machine one being your ethernet bridge. Machine two being the gateway
to
> > your protected network.
> >
> > ----- Original Message -----
> > From: "Eric Anderson" <anderson@centtech.com>
> > To: <freebsd-security@FreeBSD.ORG>
> > Sent: Wednesday, June 27, 2001 12:46
> > Subject: 3 nics - 1 bridge - 2 ips - bad?
> >
> > > Lets say I have 3 NIC's in a machine running FreeBSD 4.2.
> > > Is it possible to have this sort of configuration:
> > > xl0 - 200.200.200.200 - [interface 1 of bridge0]
> > > xl1 - NO IP - [interface 2 of bridge0]
> > > xl2 - 192.168.10.10 - not part of any bridge
> > >
> > > the 200.200.200.200 number is of course made up, but signifies an
> > > interface on the unprotected net. The 192.168.10.10 interface is also
> > > made up, showing an interface on the protected internal net. Now, the
> > > xl1 interface is bridged to xl0, creating a port for passing thru to
the
> > > unprotected net that xl0 is on. Is there any inherent security flaws
in
> > > this configuration (besides having a possible computer plug into the
xl1
> > > port and not being behind a firewall), assuming it works at all?
> > >
> > > Thanks in advance..
> > >
> > > Eric
> > >
> > >
> > >
> > > --
> >
> --------------------------------------------------------------------------
> > -----
> > > Eric Anderson anderson@centtech.com Centaur Technology (512)
> > > 418-5792
> > > For every complex problem, there is a solution that is simple, neat,
and
> > > wrong.
> >
> --------------------------------------------------------------------------
> > -----
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > >
>
> --
> --------------------------------------------------------------------------
-----
> Eric Anderson anderson@centtech.com Centaur Technology (512)
> 418-5792
> For every complex problem, there is a solution that is simple, neat, and
> wrong.
> --------------------------------------------------------------------------
-----
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: How connect 2 PC with ath in hostap mode ?
    ... > MJ> How are you bridging the interfaces? ... The "old" bridge code is removed from CURRENT anyway. ... Try to play with different sysctl values for ath as well, ... > 0.700ms for any host in another net segment. ...
    (freebsd-net)
  • Re: Win2k3 server MAC bridge does not forward packets
    ... That is what Layer2 bridging is. ... Aftrer creating the bridge, the ... > two nics were NOT in promiscuous mode. ... > since they would have to be in promiscuous mode in order to do L2 ...
    (microsoft.public.windows.server.networking)
  • Re: SYSMAN problem
    ... switch and think of a bridge as "legacy" stuff. ... Many of the younglings ... A limited amount of bridging is OK. ... Unfortunately this is rather like the prohibition of the use of GOTO in ...
    (comp.os.vms)
  • ARM: Review - "Non-Bailey Bridging in Canadian Service"
    ... covers the various types of Commonwealth WWII bridging ... used other than the famous Bailey Bridge ... rivers to provide infantry a dry crossing, ...
    (rec.models.scale)
  • Re: Unhappy Xorg upgrade
    ... I have 'hide inactive PCI-e p2p bridge devices' disabled in my BIOS, although none of the affected devices are behind a PCI-e bridge. ... vendor = 'ATI Technologies Inc' ... subclass = HOST-PCI ... device = 'RS480 PCI-X Root Port' ...
    (freebsd-stable)