On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer <lists-open...@bsws.de>wrote:
> * openbsder <openbs...@gmail.com> [2009-04-24 12:19]: > > Recently, it has been suggested that a transparent firewall > implementation > > is ideal where possible. But as far as I understand, transparency is only > > available when the firewall acts as a bridge between TWO networks. How > would > > I keep my DMZ and LAN both while using a bridging firewall. Is it even > > possible? > > yes. lots of idiots do it. Really? What's wrong with transparent bridging? What's wrong with a transparent, in-line IDS? What's wrong with a software tap? All of these technologies use some sort of transparent bridging and are not being used exclusively by idiots, but also smart people [1] [2] [1] http://eatingsecurity.blogspot.com/2007/09/transparent-bridging-mmap-pcap-and.html [2] http://www.shiftedbit.net/IDS.txt [3] http://www.securityfocus.com/infocus/1737 bridging is stupid. don't. there are cases where you can't avoid it, > but deliberately? about as clever as knowingly drinking methanol. Bridging, in the ample sense, is not stupid. Your switch is doing that. Bridging, in the sense of firewalls, is also not stupid. There are reasons why you want to use a transparent bridging-mode firewall. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
