From owner-freebsd-stable@FreeBSD.ORG  Mon Apr 26 16:43:16 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2079D16A4CE
	for <freebsd-stable@freebsd.org>;
	Mon, 26 Apr 2004 16:43:16 -0700 (PDT)
Received: from leticia.terra.com.br (leticia.terra.com.br [200.154.55.226])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D576243D1D
	for <freebsd-stable@freebsd.org>;
	Mon, 26 Apr 2004 16:43:14 -0700 (PDT)
	(envelope-from suporte@wahtec.com.br)
Received: from paramonga.terra.com.br (paramonga.terra.com.br
	[200.154.55.133])
	by leticia.terra.com.br (Postfix) with ESMTP id 9FC393CBD6
	for <freebsd-stable@freebsd.org>;
	Mon, 26 Apr 2004 20:43:13 -0300 (BRT)
Received: from wahottisray (unknown [200.96.65.150])
	(authenticated user arisjr)
	by paramonga.terra.com.br (Postfix) with ESMTP id 2D56D3C015
	for <freebsd-stable@freebsd.org>;
	Mon, 26 Apr 2004 20:43:13 -0300 (BRT)
From: "Aristeu Gil Alves Jr" <suporte@wahtec.com.br>
To: "Freebsd-Stable" <freebsd-stable@freebsd.org>
Date: Mon, 26 Apr 2004 20:43:39 -0300
Message-ID: <NIBBICFAGEGKPKFMEHOMCEJFCEAA.suporte@wahtec.com.br>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
Subject: ipfilter/ipfw + bridge + out checking
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2004 23:43:16 -0000

Hi all.

I didn't find any thread discussing it, sorry if I am re-posting the same
subject.
Is there a way to check the ipfilter/ipfw out-flow with bridge? Is it
implemented already?

The case ilustrated in most howtos is shown with only two NICs

 NET-1
  ||
___________
|bridge-fw|
-----------
  ||
 NET-2

It's important for us to use a bridge-fw with three NICs.

 NET-1
  ||
___________
|bridge-fw|== NET-3
-----------
  ||
 NET-2

without the out packet controling, a solution with three or more NIC's could
lead to an information leak problem. I've heard this checking is not done
due a performance issue (it's writen in ipf-howto), but performance is not
the main goal in this particular situation. I would like to have the
stateful firewall and the bridge _fully_ working together.

If there's anything I can do to contribute, I'll be happy to help.

[]'s
--aristeu