From owner-freebsd-security Wed Jul 4 1:49: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 9527137B401 for ; Wed, 4 Jul 2001 01:49:01 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA19126; Tue, 3 Jul 2001 09:26:40 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma019118; Tue, 3 Jul 01 09:26:17 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA25805; Tue, 3 Jul 2001 09:26:16 -0500 (CDT) Message-ID: <3B41D60A.79D8E6F7@centtech.com> Date: Tue, 03 Jul 2001 09:26:18 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Joseph Gleason Cc: Joseph Gleason , freebsd-security@freebsd.org Subject: Re: 3 nics - 1 bridge - 2 ips - bad? References: <3B3A0DD7.87EDC7E@centtech.com> <006101c0ff2c$4d75bee0$0a2d2d0a@battleship> <3B3A17A9.5ADF75BA@centtech.com> <002201c0ff2e$fe7c4770$0a2d2d0a@battleship> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just FYI, it works great! Thanks.. Joseph Gleason wrote: > > I was wrong! Don't listen to my lies! > > I am told that bridging can indeed be enabled and disabled per port via some > sysctl call. > > With bridge compiled into the kernel: > > sysctl -A |grep bridge should give you the approriate parameter to play > with. > > ----- Original Message ----- > From: "Eric Anderson" > To: "Joseph Gleason" > Cc: > Sent: Wednesday, June 27, 2001 13:28 > Subject: Re: 3 nics - 1 bridge - 2 ips - bad? > > > Thanks for the response.. I think you're correct here, I don't see > > anyway to only enable 2 out of 3 interfaces for bridging. Darn. Oh > > well, thanks! > > > > > > > > Joseph Gleason wrote: > > > > > > I think you might have a problem with the bridging. > > > > > > I'm not sure if you can bridge xl0 and xl1 without including xl2. I > could > > > be wrong > > > And you might be able to pull something off with IPFW rules to exclude > xl2 > > > from the bridging, but I wouldn't trust it. > > > > > > What you want certainly looks like two separate and possibly > incompatible > > > tasks. My advise would be have two machines do this if at all possible. > > > Machine one being your ethernet bridge. Machine two being the gateway > to > > > your protected network. > > > > > > ----- Original Message ----- > > > From: "Eric Anderson" > > > To: > > > Sent: Wednesday, June 27, 2001 12:46 > > > Subject: 3 nics - 1 bridge - 2 ips - bad? > > > > > > > Lets say I have 3 NIC's in a machine running FreeBSD 4.2. > > > > Is it possible to have this sort of configuration: > > > > xl0 - 200.200.200.200 - [interface 1 of bridge0] > > > > xl1 - NO IP - [interface 2 of bridge0] > > > > xl2 - 192.168.10.10 - not part of any bridge > > > > > > > > the 200.200.200.200 number is of course made up, but signifies an > > > > interface on the unprotected net. The 192.168.10.10 interface is also > > > > made up, showing an interface on the protected internal net. Now, the > > > > xl1 interface is bridged to xl0, creating a port for passing thru to > the > > > > unprotected net that xl0 is on. Is there any inherent security flaws > in > > > > this configuration (besides having a possible computer plug into the > xl1 > > > > port and not being behind a firewall), assuming it works at all? > > > > > > > > Thanks in advance.. > > > > > > > > Eric > > > > <-- SNIP --> -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message