Den tis 19 dec. 2023 kl 23:57 skrev Karel Lucas <cahlu...@planet.nl>:
> > Hi all, > > I am creating a bridging firewall, and am wondering if it is possible to > use the ntp daemon to ensure that all log files are timed correctly. Is > there a way to achieve that despite the fact that the network > connections do not have an IP address? > I did some of that in the early 2000s, and it wasn't as good an idea as I had imagined it to be. We put an extra eth interface on the box, and had that one on the inside network range, so it could log and be administered via it, then had some rules that allowed certain outside ips to traverse the bridging fw to the inside, and then reach the inside of the fw. But all in all, that was just a workaround for a bad network setup where we got a /24 from our ISP, but not a transport network for our outside of the fw. I would not do it like that again, I noticed how nice it actually is to be able to use layer-3 tools like ping and traceroute and so on, even if it felt secretive and hip to have an "invisible" fw. I think most people that have tried L2 firewalling end up moving away from it if they can, just because of the poor visibility you get when you run firewalls on top of bridges. -- May the most significant bit of your life be positive.
