* Felipe Alfaro Solana <[email protected]> [2009-04-26 20:37]: > On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer <[email protected]>wrote: > > > * openbsder <[email protected]> [2009-04-24 12:19]: > > > Recently, it has been suggested that a transparent firewall > > implementation > > > is ideal where possible. But as far as I understand, transparency is only > > > available when the firewall acts as a bridge between TWO networks. How > > would > > > I keep my DMZ and LAN both while using a bridging firewall. Is it even > > > possible? > > > > yes. lots of idiots do it. > > > Really? What's wrong with transparent bridging? What's wrong with a > transparent, in-line IDS? What's wrong with a software tap? All of these > technologies use some sort of transparent bridging and are not being used > exclusively by idiots, but also smart people [1] [2]
you call them smart, I say they are idiots. bridging just makes your life harder. > > bridging is stupid. don't. there are cases where you can't avoid it, > > but deliberately? about as clever as knowingly drinking methanol. > Bridging, in the ample sense, is not stupid. Your switch is doing that. > Bridging, in the sense of firewalls, is also not stupid. There are reasons > why you want to use a transparent bridging-mode firewall. we are not talking about switches. "transparent" firewalls are beyond stupid. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
