Hey guys,
There are some articles that may bring some light to the discussion:
* http://en.wikipedia.org/wiki/Network_bridge (best bet)
* http://en.wikipedia.org/wiki/Bridging_(networking)
* http://en.wikipedia.org/wiki/Transparent_bridge
*
http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Bridging-Basics.html
Best,
Marcello
----- Original Message -----
From: "Daniel Ouellet" <[email protected]>
To: "Openbsd-Misc" <[email protected]>
Sent: Monday, April 27, 2009 12:10 AM
Subject: Re: Transparent firewall (bridge) with DMZ + LAN
patrick keshishian wrote:
On Sun, Apr 26, 2009 at 4:10 PM, bofh <[email protected]> wrote:
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has published a paper
and here's all these smart people using it (transparent bridging, etc,
or in my case natting externally accessible/routable hosts), it pisses
me off.
People use it because they have a need to do something. B When you're
told there's a better way to do things, pay attention, instead of
telling the experts here (and I'm talking about the openbsd developers
in this thread - not me, I'm in management now, no brain cells left)
they're wrong because you have all these great URLs - if you want to
listen to those people, then you should be using the OS they use too.
so you prefer to take someone's word blindly without any backing
evidence or facts, so long as you believe they are a credible source?
Well, let say that if they spend years developing the system, including PF
and the capability of bridge and the same people tells me that it's bad to
do so. Well, HELL yes I would listen to them. They are better mind then me
and they have the code to back it up as well as their saying too.
So, to that answer yes. They are a credible source, they design it for
crying wolf.
Maybe management is a good place for you, but I'd hate to be a
shareholder in a company people like you may have any sort of
influential role in steering its goals and/or direction.
Not relevant at all. But even if that was, contrary to the majority of
managers that only listen to marketing vapor ware, or oppose to dig up
themselves, this might, may be very good to listen to the source of
reason, and not to say as well the origin of the product oppose to
marketing people, then yes. I would. Most manager wouldn't even understand
it anyway and there is exceptions, but by all mean not the norm, so your
analogy is pointless and off topic.
"Perhaps as one of the older generation, I should preach a
little sermon to you, but I do not propose to do so. I shall,
instead, give you a word of advice about how to behave
toward your elders. When an old and distinguished person
apeaks to you, listen to him carefully and with respect -- but
do not believe him. Never put your trust in anything but your
own intellect. Your elder, no matter whether he has gray hair
or lost his hair, no matter whether he is a Nobel Laureate,
may be wrong... So you must always be skeptical -- always
think for yourself."
I am so glad for you that you are born with the knowledge you need already
and do not need to listen to anyone that might speak from years of
experience. I envy you really I do! I can't claim that gift from birth
itself.
Some might become senile at old age, yes, by the simple fact of getting
older. Still the natural path of life as we know it. May you be bless as
to never suffer that sad outcome.
But, many are still very sound and a few of them oppose to the "young
padawan" with the hope to may be, become Jedi one day, don't need to proof
anything to anyone anymore, and actually provide valuable informations
from experiences without asking anything in return and without alternate
motivations other then helping who ever are welling to listen. Many are
not withholding knowledge in the hopes of getting ahead ans screwing you
over in the process to get an edge over you. Yes, it's rare, but there is
still many people like that. I guess it comes with self confidence and
actual real knowledge. I actually welcome their input. But do as you wish,
no one is stoping you rally. (;>
As for why not to do bridge setup. May be something as simple as for one
example that comes to mind. Your bridge needs to work in promiscuous mode
and will see, received and process all kind of crap that it wouldn't need
to do otherwise.
More resources will be use on the bridge that could be better use else
where. Should I also add that a miss configuration of a bridge can stay
undetected for years, oppose to a miss configuration of a decent firewall
not in bridge mode would become more obvious sooner in most cases anyway.
Call that security by default setup if you like. (;>
Don't forget that the simple action to put a box in bridge mode have the
effect to pass all traffic across it. You may think your bridge is working
as the traffic is passing, but in reality, may be someone affected it
adversely and you can't see it.
Bridge were useful as to split LAN, years ago when switches wasn't
available then, or just too expensive to buy then.
Now, it's not the case anymore.
If you really want to use a bridge, by all mean do it.
One more example where you could temporary use a bridge that may help you
and make your life easier in the transition that I could think of is for
example when you need to protect a complete LAN that have lots of servers,
computers, etc behind it and that are all setup with static IP's and that
you are in the process of replacing, working to a different ISP, or
changing the LAN setup. In that case putting a bridge there in the direct
path and use one free IP's you have available to you from the range you
have assigned to you make the process easier and faster and then you can
make the changes you need one at a time, etc. But even that, you don't
need anIP for it if you want to work on the console of the bridge at all
time.
So, the transition from one setup to an other is much easier and nothing
stop working as you do the setup, as long as you don't create your own
problem, but after your setup is cleaned up, why would you want to keep
using it really?
The bright people that did the code said it wasn't good to do so. The
normal operations of such a setup needs more resources from the same box
to do the same things, showing in practice that it's not the most
efficient way to do so with hard numbers to proof it. Just look at top for
the same box, doing the same thing, one in bridge mode and one in routing
mode. Look at your interrupts level, the interrupts process, the traffic
it needs to process, the useless aditional data that it needs to also
process from the promiscous mode alone and the additional easy way to have
a miss configure box that will pass the traffic because of the bridge mode
enable where you might think it's running as it should. If all that and
more that I haven't put here doesn't convince you, then please by all mean
do so and run bridge mode on your firewall.
But, as far as myself based on the above, that is plenty already with the
additions of the great mind that designed it to start with in PF and
OpenBSD tells me it's bad, I am not stupid and I will listen to them. If
the above doesn't convince me, or I didn't know the above, then I might
asked to know more, but still I would respect their knowledge that is sure
in that specific subject much higher then mine.
And that have nothing to do with older generation, even if I would
consider myself in that category anyway. It has everything to do with
knowledge and facts put into place in the code by these same persons.
I really hope this provide you some more details and answers to your
question and if not, then so be it. I will not take more time trying to
explain it with more details or examples. I thought to provide you some
examples however that are very obvious if you think about it for a few
seconds. And this email is already to long as it is.
No one is forcing you and the world, for the most part anyway, is still a
free place, even if it doesn't fell that way much anymore these days. (;>
You asked a question, you got an answer. You don't like the answer and
don't want to listen to it, then don't.
But, don't try to convince others that it is the way to go or that there
isn't a better way, because in that case, yes you would definitely be
wrong. (;>
With all due respect, from an older men that yes lost some of his hair and
most definitely will loose more, I hope it give you something to think
about, but don't take my words for it. Go test it yourself and just look
at some examples I put above and make your own conclusions.
Best regards,
Daniel
