As long as you separate the rulesets for the bridged config and the management nic, I don't see how it could happen unless the pf code is not meant to handle this, I am running the same config roughly and it works damn good, in fact too good when I first configed it. Also I would like to point out that you stated he had trouble (OpenBSD 3.2 with ipf) with IPF. IPF and PF are 2 totally different animals. IPF may have a bug but unless Daniel or Henning or eh I forget, know of a bug using this configuration, then it should work as I have seen it.
Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Beyer Sent: Wednesday, August 13, 2003 3:18 PM To: [EMAIL PROTECTED] Subject: pf and bridge question Hi, I have an OpenBSD 3.3 firewall which acts as a transparent bridge between our network (not NATted) and a router giving access to the rest of the world. The bridging interfaces are configured without IP address and a third (management) NIC is configured with an IP address inside our network's address space. A colleague of mine claims that this can lead to confusion in the routing/bridging code of the firewall and possible corruption of the arp table. He says that the management interface should never be in the same logical or physical network as one of the two sides of the bridge, i.e. it should have an address in rfc1918 space and be physically connected to different networking hardware. I have difficulty in understanding how this could be true and he cannot give me an explanation other than that he has had trouble with this in the past (running older versions of OpenBSD 3.2 with ipf). Can someone here enlighten me as to whether this is really a possible problem and if so how exactly some sort of corruption/glitch could happen? Thanks a lot, Marc P.S. Naturally I am aware of the fact that having the management interface on a separate NATted network with it's own protection is a good thing security-wise, so that's not really my question.
