Dear Steve,
At the moment, I have forwarding and pf turned off and allowing packets
to flow freely until I can figure out the multiple subnet issue.
The router that handles our subnets is outside of our
network. Somehow the server cannot communicate freely when they
have to send packets out to the router and back in. Any clues on
that?
Thanks to all who have email me so far.
-Orlando
On Saturday, May 13, 2006, Steve Welham wrote:
> My goal with the bridge is to filter all traffic coming in from the
> outside world, while allowing servers my servers behind the bridge
> to connect freely even if their traffic has to travel out to the
> router and back(keep state?).
>
> My point of confusion is whether or not to turn on forwarding. I
> have heard arguments for both.
I have a transparent bridging firewall setup in the same configuration
on 3.8.. IP forwarding is not enabled and the two bridge interfaces pass
traffic just fine.
Don't enable IP forwarding - you don't need it or want it and it opens
up the opportunity for misconfiguration elsewhere to break the security
on your admin interface. The bridge interface will take care of all your
forwarding needs.
IP forwarding is required if you want your box to route IP packets using
the routing table - this is not relevant to you because your firewall
interfaces do not have IP addresses. Bridging uses a MAC forwarding
database to forward Ethernet frames... IP doesn't even come into it.
--
Best regards,
Orlando L. Castro
