From: [EMAIL PROTECTED] > My goal with the bridge is to filter all traffic coming in from the > outside world, while allowing servers my servers behind the bridge > to connect freely even if their traffic has to travel out to the > router and back(keep state?). > > My point of confusion is whether or not to turn on forwarding. I > have heard arguments for both. > > One person believes that setting forwarding to 1 bypasses pf. > Another believes that setting forwarding to 0 increases performance.
Forwarding allows packets to travel from one interface to another. To my knowledge, you won't pass traffic through your firewall without it enabled. Examples of transparent firewalls always enable it: http://ezine.daemonnews.org/200207/transpfobsd.html http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html And as for a bridge, you don't have an "in" interface and an "out" interface, as you would with a L3-aware system. A bridge is a layer 2 device, so you can simplify your ruleset and thought process by passing all of your traffic on one interface, and just applying your filters to the other interface. DS