Paul Vixie: > If we move all member ifaddrs to the bridge itself, then will arp > requests always have to be broadcast on all member interfaces? If so > this is intolerable from a security perspective, a complete > nonstarter.
i believe Patrick Hausen already answered your original question, but to
add to that: if you are intending to restrict bridge traffic based on
member port and/or MAC address, you can do this by enabling one or more
of the bridge pfil_* sysctls, and possibly also ipfw_arp which sounds
like it might be relevant to your use-case.
if you only want to force a specific MAC address to a specific member
port, you can do this without pfil by defining static host entries via:
% ifconfig bridge0 static <interface> <address>
relying on the kernel to have a specific behaviour for ARP packets sent
or received on a specific member interface (rather than the bridge
itself) is not the right way to do this since if_bridge(4) has never
guaranteed that this will work in any particular way. this *will* end
up biting you one day even if you enable the member_ifaddrs sysctl for
now.
if your use-case is not covered by any of these sysctls, i would be
interested to know more about it so we can support it in bridge.
that said, speaking generally, i think that for this sort of complex,
security-sensitive network topology, routed access is a better solution
than layer 2 access.
signature.asc
Description: PGP signature
