From owner-freebsd-questions Sat Feb 10 16:18:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from christel.heitec.net (christel.heitec.net [193.101.232.3]) by hub.freebsd.org (Postfix) with ESMTP id 5585737B401 for ; Sat, 10 Feb 2001 16:18:30 -0800 (PST) Received: from heitec.net (paladin.heitec.net [193.101.232.30]) by christel.heitec.net (Postfix) with ESMTP id 698B6B8102; Sun, 11 Feb 2001 01:18:29 +0100 (CET) Message-ID: <3A85DA55.10AF0B88@heitec.net> Date: Sun, 11 Feb 2001 01:18:29 +0100 From: Bernd Luevelsmeyer X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: "Raymundo M. Vega" Cc: freebsd-questions@FreeBSD.ORG, Julian Zottl Subject: Re: Bridging and routing problem... References: <200102081626.LAA77762@gateway.vsl.cua.edu> <3A82FEA4.3666D366@home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Raymundo M. Vega wrote: [...] > Rather than answer if bridging is better for your > network, I like to point thet you will have better > control in the firewall if you use it as a gateway. The packets must go through the firewall whether they are bridged or routed, so the firewall rules apply in both cases. IMHO there's no difference in the amount of control. > This is in man bridge: > > Set to 1 to enable ipfw filtering on bridged packets. Note that ipfw > rules only apply to IP packets. Non-IP packets are subject to the de- > fault ipfw rule (number 65535) which must be an allow rule if we want ARP > and other non-IP packets to flow through the bridge. To let ARP through, there's ${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 (stolen from /usr/src/etc/rc.firewall) to allow this, so a default 'deny' rule is possible with a bridge, unless you have other non-IP protocols. > If you use it as a gateway, you can filter TCP/UDP packets as well. You can certainly filter both TCP and UDP with a bridge. Greetings, Bernd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message