Sorry for the confusion. I understand that bridging is possible under OpenBSD but it's also my understanding that if I have interfaces A, B, and C, I can bridge A to either B or C, but not both. Is this correct?
Referring to this topology: http://upload.wikimedia.org/wikipedia/commons/6/6f/DMZ_network_diagram_1_firewall.svg I would like to use this setup but with bridging on the firewall if at all possible. Am I able to keep my firewall acting as the choke point between all three segments (DMZ, LAN, EXT) while using bridges for transparency? Hope this makes a little more sense. On Fri, Apr 24, 2009 at 8:49 AM, Felipe Alfaro Solana < felipe.alf...@gmail.com> wrote: > On Fri, Apr 24, 2009 at 12:12 PM, openbsder <openbs...@gmail.com> wrote: > > > I am currently interested in setting up a three-legged network topology, > > using OBSD+PF as the firewall appliance. Originally, I was going to > simply > > have the firewall equipped with three network cards: one for DMZ, one for > > LAN, the other for EXT/WAN/Internet (whatever you call this). The idea > was > > for a switch to be used on both DMZ and LAN, providing NAT on both > > segments. > > Pretty straight forward. > > > > Recently, it has been suggested that a transparent firewall > implementation > > is ideal where possible. But as far as I understand, transparency is only > > available when the firewall acts as a bridge between TWO networks. How > > would > > I keep my DMZ and LAN both while using a bridging firewall. Is it even > > possible? > > > What do you mean? Whether OpenBSD supports bridging? Whether PF supports > L2-based filtering? Whether you can have two interfaces in a bridge and > have, at the same time, L2-based filtering and L3-based filtering? > > By L2-based filtering I mean having the firewall inspect frames/packets > from > interfaces that are bridged together that do not have an IP address > configured (i.e. L2-switching). > > -- > http://www.felipe-alfaro.org/blog/disclaimer/
