I don't fully understand your email, because some of your sentences aren't really gramatically correct, and some of them don't seem to me to be "technologically correct" (ie. the technology questions in them don't seem to make sense to me). From reading this thread, I suspect others are having similar problems. Let me look at what you wrote:
On 10/10/2007, Cidric THIBAULT <[EMAIL PROTECTED]> wrote: > Hello everybody, > > I work on BSD 4.1, with i386 hardware. > > I'm searching a way to enable a transparent firewall (without ip adress), > probably in bridge mode.., with a capability of NAT. Let me stop you there. Normally, you would EITHER use your OpenBSD box to do NAT, OR you would set your OpenBSD box up as a bridge. Let's take a step back and instead of talking about things in the abstract, let's make plain what you're trying to do: - Do you have a network w/ multiple hosts on the same physical network segment? - Do these hosts have private or public IP addresses? - Are these hosts' IP addresses in the same (logical) subnet? I.e. are they using the same network address and subnet mask, e.g. xxx.yyy.zzz.0/24? - You've mentioned bridging. Which hosts do you want to separate with a bridge? Are these hosts on the same logical subnet (and possibly already on the same physical network segment)? If they aren't, then how is what you're trying to do bridging? - You've mentioned NATing. Normally this involves translating between two DIFFERENT logical networks. What do you mean by "enable a transparent firewall (...) in bridge mode.., with a capability of NAT"? Do you want to set up a bridge NOW and only possibly separate your network LATER, and then change your OpenBSD bridge to an OpenBSD NAT router? > I know the interest is > not evident to nat some computers on the same IP lan, but it's for a client, > so....! Hm. Forgive my skepticism, but has the client asked you to put in a bridge that does NAT? Do you understand what they want? Do they? > It seems that PF doesn't have this capability. Perhaps, it could be possible > with an another package ? OpenBSD/PF can do NAT while filtering the NATted traffic. OpenBSD/PF can also be used to set up a transparent bridge that is invisible to users, yet filters traffic. This can be done "out of the box"; no extra packages are required. I have personally in the past set up such an OpenBSD bridge. In my case, this was a physical network segment with multiple hosts, only some of which were under my control. The foreign and my own hosts were also on the same (logical) subnet. I needed to protect one of the hosts from the others (especially the ones I didn't control). That sensitive host was a Windows Server 2003 box ((which by default comes w/o a firewall and the Windows Firewall, while available in a service pack, cannot be enabled on Domain Controllers without serious hacking; really; it boggles the mind)). So I connected stuff thus: W2K3 Srv <---> OpenBSD bridge <---> rest of network, incl. Internet gateway I set up the bridge and configured pf.conf so that those boxes that needed to talk to the server could do so. It was NOT a totally bulletproof solution, but it was the best I could come up with, given the constraints I was operating within. Maybe you could describe your network like I did above. I think that would help me and possibly others to understand you better. Please be specific. Thanks and regards, --ropers
