Re: 3 nics - 1 bridge - 2 ips - bad?

From: Joseph Gleason (clash@fireduck.com)
Date: 06/27/01


From: "Joseph Gleason" <clash@fireduck.com>
To: <anderson@centtech.com>, "Joseph Gleason" <freebsd@fireduck.com>
Date: Wed, 27 Jun 2001 13:31:26 -0400

I was wrong! Don't listen to my lies!

I am told that bridging can indeed be enabled and disabled per port via some
sysctl call.

With bridge compiled into the kernel:

sysctl -A |grep bridge should give you the approriate parameter to play
with.

----- Original Message -----
From: "Eric Anderson" <anderson@centtech.com>
To: "Joseph Gleason" <freebsd@fireduck.com>
Cc: <freebsd-security@FreeBSD.ORG>
Sent: Wednesday, June 27, 2001 13:28
Subject: Re: 3 nics - 1 bridge - 2 ips - bad?

> Thanks for the response.. I think you're correct here, I don't see
> anyway to only enable 2 out of 3 interfaces for bridging. Darn. Oh
> well, thanks!
>
>
>
> Joseph Gleason wrote:
> >
> > I think you might have a problem with the bridging.
> >
> > I'm not sure if you can bridge xl0 and xl1 without including xl2. I
could
> > be wrong
> > And you might be able to pull something off with IPFW rules to exclude
xl2
> > from the bridging, but I wouldn't trust it.
> >
> > What you want certainly looks like two separate and possibly
incompatible
> > tasks. My advise would be have two machines do this if at all possible.
> > Machine one being your ethernet bridge. Machine two being the gateway
to
> > your protected network.
> >
> > ----- Original Message -----
> > From: "Eric Anderson" <anderson@centtech.com>
> > To: <freebsd-security@FreeBSD.ORG>
> > Sent: Wednesday, June 27, 2001 12:46
> > Subject: 3 nics - 1 bridge - 2 ips - bad?
> >
> > > Lets say I have 3 NIC's in a machine running FreeBSD 4.2.
> > > Is it possible to have this sort of configuration:
> > > xl0 - 200.200.200.200 - [interface 1 of bridge0]
> > > xl1 - NO IP - [interface 2 of bridge0]
> > > xl2 - 192.168.10.10 - not part of any bridge
> > >
> > > the 200.200.200.200 number is of course made up, but signifies an
> > > interface on the unprotected net. The 192.168.10.10 interface is also
> > > made up, showing an interface on the protected internal net. Now, the
> > > xl1 interface is bridged to xl0, creating a port for passing thru to
the
> > > unprotected net that xl0 is on. Is there any inherent security flaws
in
> > > this configuration (besides having a possible computer plug into the
xl1
> > > port and not being behind a firewall), assuming it works at all?
> > >
> > > Thanks in advance..
> > >
> > > Eric
> > >
> > >
> > >
> > > --
> >
> --------------------------------------------------------------------------
> > -----
> > > Eric Anderson anderson@centtech.com Centaur Technology (512)
> > > 418-5792
> > > For every complex problem, there is a solution that is simple, neat,
and
> > > wrong.
> >
> --------------------------------------------------------------------------
> > -----
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > >
>
> --
> --------------------------------------------------------------------------
-----
> Eric Anderson anderson@centtech.com Centaur Technology (512)
> 418-5792
> For every complex problem, there is a solution that is simple, neat, and
> wrong.
> --------------------------------------------------------------------------
-----
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message