On Mon, Apr 27, 2009 at 5:10 AM, Daniel Ouellet <dan...@presscom.net> wrote:
> patrick keshishian wrote: > >> On Sun, Apr 26, 2009 at 4:10 PM, bofh <goodb...@gmail.com> wrote: >> >>> It's called going off on a related tangent - whenever I hear people >>> talking about using something because someone has published a paper >>> and here's all these smart people using it (transparent bridging, etc, >>> or in my case natting externally accessible/routable hosts), it pisses >>> me off. >>> >>> People use it because they have a need to do something. B When you're >>> told there's a better way to do things, pay attention, instead of >>> telling the experts here (and I'm talking about the openbsd developers >>> in this thread - not me, I'm in management now, no brain cells left) >>> they're wrong because you have all these great URLs - if you want to >>> listen to those people, then you should be using the OS they use too. >>> >> >> so you prefer to take someone's word blindly without any backing >> evidence or facts, so long as you believe they are a credible source? >> > > Well, let say that if they spend years developing the system, including PF > and the capability of bridge and the same people tells me that it's bad to > do so. Well, HELL yes I would listen to them. They are better mind then me > and they have the code to back it up as well as their saying too. > > So, to that answer yes. They are a credible source, they design it for > crying wolf. > > Maybe management is a good place for you, but I'd hate to be a >> shareholder in a company people like you may have any sort of >> influential role in steering its goals and/or direction. >> > > Not relevant at all. But even if that was, contrary to the majority of > managers that only listen to marketing vapor ware, or oppose to dig up > themselves, this might, may be very good to listen to the source of reason, > and not to say as well the origin of the product oppose to marketing people, > then yes. I would. Most manager wouldn't even understand it anyway and there > is exceptions, but by all mean not the norm, so your analogy is pointless > and off topic. > > "Perhaps as one of the older generation, I should preach a >> little sermon to you, but I do not propose to do so. I shall, >> instead, give you a word of advice about how to behave >> toward your elders. When an old and distinguished person >> apeaks to you, listen to him carefully and with respect -- but >> do not believe him. Never put your trust in anything but your >> own intellect. Your elder, no matter whether he has gray hair >> or lost his hair, no matter whether he is a Nobel Laureate, >> may be wrong... So you must always be skeptical -- always >> think for yourself." >> > > I am so glad for you that you are born with the knowledge you need already > and do not need to listen to anyone that might speak from years of > experience. I envy you really I do! I can't claim that gift from birth > itself. > > Some might become senile at old age, yes, by the simple fact of getting > older. Still the natural path of life as we know it. May you be bless as to > never suffer that sad outcome. > > But, many are still very sound and a few of them oppose to the "young > padawan" with the hope to may be, become Jedi one day, don't need to proof > anything to anyone anymore, and actually provide valuable informations from > experiences without asking anything in return and without alternate > motivations other then helping who ever are welling to listen. Many are not > withholding knowledge in the hopes of getting ahead ans screwing you over in > the process to get an edge over you. Yes, it's rare, but there is still many > people like that. I guess it comes with self confidence and actual real > knowledge. I actually welcome their input. But do as you wish, no one is > stoping you rally. (;> > > As for why not to do bridge setup. May be something as simple as for one > example that comes to mind. Your bridge needs to work in promiscuous mode > and will see, received and process all kind of crap that it wouldn't need to > do otherwise. For a two-interface router/firewall, most of the traffic that reaches is will probably have to traverse it anyways, so I don't see how a two-interface bridge or a two-interface router will have different workloads. But, fortunately, someone on this thread pointed out good technical arguments on why bridging in OpenBSD is perhaps not a good idea. But, to me, it doesn't mean that bridging firewalls are a bad idea in other platforms. > > More resources will be use on the bridge that could be better use else > where. Should I also add that a miss configuration of a bridge can stay > undetected for years, oppose to a miss configuration of a decent firewall > not in bridge mode would become more obvious sooner in most cases anyway. > Call that security by default setup if you like. (;> > > Don't forget that the simple action to put a box in bridge mode have the > effect to pass all traffic across it. You may think your bridge is working > as the traffic is passing, but in reality, may be someone affected it > adversely and you can't see it. > > Bridge were useful as to split LAN, years ago when switches wasn't > available then, or just too expensive to buy then. > > Now, it's not the case anymore. > > If you really want to use a bridge, by all mean do it. > > One more example where you could temporary use a bridge that may help you > and make your life easier in the transition that I could think of is for > example when you need to protect a complete LAN that have lots of servers, > computers, etc behind it and that are all setup with static IP's and that > you are in the process of replacing, working to a different ISP, or changing > the LAN setup. In that case putting a bridge there in the direct path and > use one free IP's you have available to you from the range you have assigned > to you make the process easier and faster and then you can make the changes > you need one at a time, etc. But even that, you don't need anIP for it if > you want to work on the console of the bridge at all time. > > So, the transition from one setup to an other is much easier and nothing > stop working as you do the setup, as long as you don't create your own > problem, but after your setup is cleaned up, why would you want to keep > using it really? > > The bright people that did the code said it wasn't good to do so. The > normal operations of such a setup needs more resources from the same box to > do the same things, showing in practice that it's not the most efficient way > to do so with hard numbers to proof it. Just look at top for the same box, > doing the same thing, one in bridge mode and one in routing mode. Look at > your interrupts level, the interrupts process, the traffic it needs to > process, the useless aditional data that it needs to also process from the > promiscous mode alone and the additional easy way to have a miss configure > box that will pass the traffic because of the bridge mode enable where you > might think it's running as it should. If all that and more that I haven't > put here doesn't convince you, then please by all mean do so and run bridge > mode on your firewall. > > But, as far as myself based on the above, that is plenty already with the > additions of the great mind that designed it to start with in PF and OpenBSD > tells me it's bad, I am not stupid and I will listen to them. If the above > doesn't convince me, or I didn't know the above, then I might asked to know > more, but still I would respect their knowledge that is sure in that > specific subject much higher then mine. > > And that have nothing to do with older generation, even if I would consider > myself in that category anyway. It has everything to do with knowledge and > facts put into place in the code by these same persons. > > I really hope this provide you some more details and answers to your > question and if not, then so be it. I will not take more time trying to > explain it with more details or examples. I thought to provide you some > examples however that are very obvious if you think about it for a few > seconds. And this email is already to long as it is. > > No one is forcing you and the world, for the most part anyway, is still a > free place, even if it doesn't fell that way much anymore these days. (;> > > You asked a question, you got an answer. You don't like the answer and > don't want to listen to it, then don't. > > But, don't try to convince others that it is the way to go or that there > isn't a better way, because in that case, yes you would definitely be wrong. > (;> > > With all due respect, from an older men that yes lost some of his hair and > most definitely will loose more, I hope it give you something to think > about, but don't take my words for it. Go test it yourself and just look at > some examples I put above and make your own conclusions. > > Best regards, > > Daniel > > -- http://www.felipe-alfaro.org/blog/disclaimer/
