On Mon, Apr 27, 2009 at 11:20:07PM +0200, Felipe Alfaro Solana wrote: > On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst <ted.unan...@gmail.com> wrote: > > > On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana > > <felipe.alf...@gmail.com> wrote: > > > Again, not a single or valid technical argument on why a bridging > > firewall > > > is a bad idea. Just a moot and offensive responsive, and a very > > > strong assessment from someone that doesn't know me at all. It's also > > very > > > sad to see so many impolite answers in this list. Perhaps saying "are > > > apparently black magic" would be more appropriate. > > > > http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 > > > > You can either read the code or listen to somebody who has. I don't > > know you either, but I know Henning and I know the bridge code, and > > the short version is he's right. > > > > And again, I think you mean that running a bridge under OpenBSD is perhaps > not the fastest or brightest solution. And I trust you, But again, I have > yet to hear a single technical argument on why running, for example, Snort > inline on other platforms is a bad idea and makes one stupid. >
Did you ever check the security record of snort? It is at least as bad as wireshark's but it is sitting in the middle of your network passing packets. I couldn't sleep with such a system in my core. It is also a lot easier to bypass unnoticed a bridging FW/IDS then a box that does actual routing. Go ahead, use it and get burned, I think you need pain to realize that it is bad. -- :wq Claudio
