From owner-freebsd-arch@FreeBSD.ORG Thu Sep 29 09:08:18 2005 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5CBB16A41F for ; Thu, 29 Sep 2005 09:08:18 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BF6F43D49 for ; Thu, 29 Sep 2005 09:08:18 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp1-g19.free.fr (Postfix) with ESMTP id 8C7322FA67; Thu, 29 Sep 2005 11:08:17 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id B83D7405A; Thu, 29 Sep 2005 11:08:18 +0200 (CEST) Date: Thu, 29 Sep 2005 11:08:18 +0200 From: Jeremie Le Hen To: Yar Tikhiy Message-ID: <20050929090818.GD1086@obiwan.tataz.chchile.org> References: <200509241525.16173.max@love2party.net> <20050924192237.GP40237@cirb503493.alcatel.com.au> <20050928102153.GA86457@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050928102153.GA86457@comp.chem.msu.su> User-Agent: Mutt/1.5.10i Cc: freebsd-arch@freebsd.org Subject: Re: Bridges X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 09:08:19 -0000 Hi Yar, > Couldn't you bridge across the parent, or trunk, physical interfaces > carrying tagged VLAN traffic then? (Of course, hardware support for > VLAN should be turned off on them in that case.) Since neither ipfw nor pf can filter on VLAN tag at layer 2, this could be pretty useful to be able to bridge vlan(4) interfaces together. For administrative reasons, you may not want to have all the VLANs living onto a physical network being seen to the other side of the bridge. I also know another situation where this can be useful. Once I've been asked to build a single firewall for a whole rack of servers. These servers where remotely administrated by customers and therefore we had no security control over them. Thus we wanted the firewall to protect the servers from the Internet but also from others round servers, that may have been defaced. For other reasons, we needed a bridge and no NAT was possible. The idea was to give each server its own VLAN, and the firewall bridged them together. I set up this firewall with Linux, I would be glad to be able to do so with FreeBSD. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >