On Mon, Apr 27, 2009 at 2:52 PM, Marcello Cruz <marcello.c...@globo.com>wrote:
> Hey guys, > > There are some articles that may bring some light to the discussion: > * http://en.wikipedia.org/wiki/Network_bridge (best bet) > * http://en.wikipedia.org/wiki/Bridging_(networking) > * http://en.wikipedia.org/wiki/Transparent_bridge > * > http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Bridging-Basics.html > I was talking about something like: http://www.snort.org/docs/snort_manual/node16.html http://snort-inline.sourceforge.net/ http://en.hakin9.org/attachments/hakin9_6-2006_str22-33_snort_EN.pdf and not a pure bridge, as described in the links you sent. > > Best, > Marcello > > ----- Original Message ----- From: "Daniel Ouellet" <dan...@presscom.net> > To: "Openbsd-Misc" <misc@openbsd.org> > Sent: Monday, April 27, 2009 12:10 AM > Subject: Re: Transparent firewall (bridge) with DMZ + LAN > > > > patrick keshishian wrote: >> >>> On Sun, Apr 26, 2009 at 4:10 PM, bofh <goodb...@gmail.com> wrote: >>> >>>> It's called going off on a related tangent - whenever I hear people >>>> talking about using something because someone has published a paper >>>> and here's all these smart people using it (transparent bridging, etc, >>>> or in my case natting externally accessible/routable hosts), it pisses >>>> me off. >>>> >>>> People use it because they have a need to do something. B When you're >>>> told there's a better way to do things, pay attention, instead of >>>> telling the experts here (and I'm talking about the openbsd developers >>>> in this thread - not me, I'm in management now, no brain cells left) >>>> they're wrong because you have all these great URLs - if you want to >>>> listen to those people, then you should be using the OS they use too. >>>> >>> >>> so you prefer to take someone's word blindly without any backing >>> evidence or facts, so long as you believe they are a credible source? >>> >> >> Well, let say that if they spend years developing the system, including PF >> and the capability of bridge and the same people tells me that it's bad to >> do so. Well, HELL yes I would listen to them. They are better mind then me >> and they have the code to back it up as well as their saying too. >> >> So, to that answer yes. They are a credible source, they design it for >> crying wolf. >> >> Maybe management is a good place for you, but I'd hate to be a >>> shareholder in a company people like you may have any sort of >>> influential role in steering its goals and/or direction. >>> >> >> Not relevant at all. But even if that was, contrary to the majority of >> managers that only listen to marketing vapor ware, or oppose to dig up >> themselves, this might, may be very good to listen to the source of reason, >> and not to say as well the origin of the product oppose to marketing people, >> then yes. I would. Most manager wouldn't even understand it anyway and there >> is exceptions, but by all mean not the norm, so your analogy is pointless >> and off topic. >> >> "Perhaps as one of the older generation, I should preach a >>> little sermon to you, but I do not propose to do so. I shall, >>> instead, give you a word of advice about how to behave >>> toward your elders. When an old and distinguished person >>> apeaks to you, listen to him carefully and with respect -- but >>> do not believe him. Never put your trust in anything but your >>> own intellect. Your elder, no matter whether he has gray hair >>> or lost his hair, no matter whether he is a Nobel Laureate, >>> may be wrong... So you must always be skeptical -- always >>> think for yourself." >>> >> >> I am so glad for you that you are born with the knowledge you need already >> and do not need to listen to anyone that might speak from years of >> experience. I envy you really I do! I can't claim that gift from birth >> itself. >> >> Some might become senile at old age, yes, by the simple fact of getting >> older. Still the natural path of life as we know it. May you be bless as to >> never suffer that sad outcome. >> >> But, many are still very sound and a few of them oppose to the "young >> padawan" with the hope to may be, become Jedi one day, don't need to proof >> anything to anyone anymore, and actually provide valuable informations from >> experiences without asking anything in return and without alternate >> motivations other then helping who ever are welling to listen. Many are not >> withholding knowledge in the hopes of getting ahead ans screwing you over in >> the process to get an edge over you. Yes, it's rare, but there is still many >> people like that. I guess it comes with self confidence and actual real >> knowledge. I actually welcome their input. But do as you wish, no one is >> stoping you rally. (;> >> >> As for why not to do bridge setup. May be something as simple as for one >> example that comes to mind. Your bridge needs to work in promiscuous mode >> and will see, received and process all kind of crap that it wouldn't need to >> do otherwise. >> >> More resources will be use on the bridge that could be better use else >> where. Should I also add that a miss configuration of a bridge can stay >> undetected for years, oppose to a miss configuration of a decent firewall >> not in bridge mode would become more obvious sooner in most cases anyway. >> Call that security by default setup if you like. (;> >> >> Don't forget that the simple action to put a box in bridge mode have the >> effect to pass all traffic across it. You may think your bridge is working >> as the traffic is passing, but in reality, may be someone affected it >> adversely and you can't see it. >> >> Bridge were useful as to split LAN, years ago when switches wasn't >> available then, or just too expensive to buy then. >> >> Now, it's not the case anymore. >> >> If you really want to use a bridge, by all mean do it. >> >> One more example where you could temporary use a bridge that may help you >> and make your life easier in the transition that I could think of is for >> example when you need to protect a complete LAN that have lots of servers, >> computers, etc behind it and that are all setup with static IP's and that >> you are in the process of replacing, working to a different ISP, or changing >> the LAN setup. In that case putting a bridge there in the direct path and >> use one free IP's you have available to you from the range you have assigned >> to you make the process easier and faster and then you can make the changes >> you need one at a time, etc. But even that, you don't need anIP for it if >> you want to work on the console of the bridge at all time. >> >> So, the transition from one setup to an other is much easier and nothing >> stop working as you do the setup, as long as you don't create your own >> problem, but after your setup is cleaned up, why would you want to keep >> using it really? >> >> The bright people that did the code said it wasn't good to do so. The >> normal operations of such a setup needs more resources from the same box to >> do the same things, showing in practice that it's not the most efficient way >> to do so with hard numbers to proof it. Just look at top for the same box, >> doing the same thing, one in bridge mode and one in routing mode. Look at >> your interrupts level, the interrupts process, the traffic it needs to >> process, the useless aditional data that it needs to also process from the >> promiscous mode alone and the additional easy way to have a miss configure >> box that will pass the traffic because of the bridge mode enable where you >> might think it's running as it should. If all that and more that I haven't >> put here doesn't convince you, then please by all mean do so and run bridge >> mode on your firewall. >> >> But, as far as myself based on the above, that is plenty already with the >> additions of the great mind that designed it to start with in PF and OpenBSD >> tells me it's bad, I am not stupid and I will listen to them. If the above >> doesn't convince me, or I didn't know the above, then I might asked to know >> more, but still I would respect their knowledge that is sure in that >> specific subject much higher then mine. >> >> And that have nothing to do with older generation, even if I would >> consider myself in that category anyway. It has everything to do with >> knowledge and facts put into place in the code by these same persons. >> >> I really hope this provide you some more details and answers to your >> question and if not, then so be it. I will not take more time trying to >> explain it with more details or examples. I thought to provide you some >> examples however that are very obvious if you think about it for a few >> seconds. And this email is already to long as it is. >> >> No one is forcing you and the world, for the most part anyway, is still a >> free place, even if it doesn't fell that way much anymore these days. (;> >> >> You asked a question, you got an answer. You don't like the answer and >> don't want to listen to it, then don't. >> >> But, don't try to convince others that it is the way to go or that there >> isn't a better way, because in that case, yes you would definitely be wrong. >> (;> >> >> With all due respect, from an older men that yes lost some of his hair and >> most definitely will loose more, I hope it give you something to think >> about, but don't take my words for it. Go test it yourself and just look at >> some examples I put above and make your own conclusions. >> >> Best regards, >> >> Daniel >> > > -- http://www.felipe-alfaro.org/blog/disclaimer/
