Date: Wed, 27 Jun 2001 13:31:26 -0400 From: "Joseph Gleason" <clash@fireduck.com> To: <anderson@centtech.com>, "Joseph Gleason" <freebsd@fireduck.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: 3 nics - 1 bridge - 2 ips - bad? Message-ID: <002201c0ff2e$fe7c4770$0a2d2d0a@battleship> References: <3B3A0DD7.87EDC7E@centtech.com> <006101c0ff2c$4d75bee0$0a2d2d0a@battleship> <3B3A17A9.5ADF75BA@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I was wrong! Don't listen to my lies! I am told that bridging can indeed be enabled and disabled per port via some sysctl call. With bridge compiled into the kernel: sysctl -A |grep bridge should give you the approriate parameter to play with. ----- Original Message ----- From: "Eric Anderson" <anderson@centtech.com> To: "Joseph Gleason" <freebsd@fireduck.com> Cc: <freebsd-security@FreeBSD.ORG> Sent: Wednesday, June 27, 2001 13:28 Subject: Re: 3 nics - 1 bridge - 2 ips - bad? > Thanks for the response.. I think you're correct here, I don't see > anyway to only enable 2 out of 3 interfaces for bridging. Darn. Oh > well, thanks! > > > > Joseph Gleason wrote: > > > > I think you might have a problem with the bridging. > > > > I'm not sure if you can bridge xl0 and xl1 without including xl2. I could > > be wrong > > And you might be able to pull something off with IPFW rules to exclude xl2 > > from the bridging, but I wouldn't trust it. > > > > What you want certainly looks like two separate and possibly incompatible > > tasks. My advise would be have two machines do this if at all possible. > > Machine one being your ethernet bridge. Machine two being the gateway to > > your protected network. > > > > ----- Original Message ----- > > From: "Eric Anderson" <anderson@centtech.com> > > To: <freebsd-security@FreeBSD.ORG> > > Sent: Wednesday, June 27, 2001 12:46 > > Subject: 3 nics - 1 bridge - 2 ips - bad? > > > > > Lets say I have 3 NIC's in a machine running FreeBSD 4.2. > > > Is it possible to have this sort of configuration: > > > xl0 - 200.200.200.200 - [interface 1 of bridge0] > > > xl1 - NO IP - [interface 2 of bridge0] > > > xl2 - 192.168.10.10 - not part of any bridge > > > > > > the 200.200.200.200 number is of course made up, but signifies an > > > interface on the unprotected net. The 192.168.10.10 interface is also > > > made up, showing an interface on the protected internal net. Now, the > > > xl1 interface is bridged to xl0, creating a port for passing thru to the > > > unprotected net that xl0 is on. Is there any inherent security flaws in > > > this configuration (besides having a possible computer plug into the xl1 > > > port and not being behind a firewall), assuming it works at all? > > > > > > Thanks in advance.. > > > > > > Eric > > > > > > > > > > > > -- > > > -------------------------------------------------------------------------- > > ----- > > > Eric Anderson anderson@centtech.com Centaur Technology (512) > > > 418-5792 > > > For every complex problem, there is a solution that is simple, neat, and > > > wrong. > > > -------------------------------------------------------------------------- > > ----- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > -------------------------------------------------------------------------- ----- > Eric Anderson anderson@centtech.com Centaur Technology (512) > 418-5792 > For every complex problem, there is a solution that is simple, neat, and > wrong. > -------------------------------------------------------------------------- ----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002201c0ff2e$fe7c4770$0a2d2d0a>