--On 21 May 2005 11:39 +0200, Antoine Jacoutot wrote:
But now, yes, the setup you describe could be what I was refering to. So basically, what are the pros/cons in separating a LAN from a DMZ (I say DMZ because some of the servers should be available from outside using port forwarding on the firewall) using a filtering bridge instead of regular routing/filtering ?
There isn't too much point in using a bridge for this - there's no need for it, it's more complicated, makes ftp more difficult, makes it difficult to provide redundancy of the firewall if you decide you want it, makes problem diagnosis more difficult, and by plugging a machine into the wrong half of the network, you could accidentally expose a private service. These aren't really a problem with a more standard routed/NAT setup.
There are some scenarios where filtering bridges are particularly useful. For example, you might have a small block of routed internet addresses that you don't want to (or can't) split into smaller subnets because you'd lose too many usable addresses. You might not have control over other machines/routers on the network and still want to include a PF firewall. But as I understand it, this doesn't apply to the setup you are asking about.
