Re: To forward, or not to forward
Dear Steve, At the moment, I have forwarding and pf turned off and allowing packets to flow freely until I can figure out the multiple subnet issue. The router that handles our subnets is outside of our network. Somehow the server cannot communicate freely when they have to send packets out to the router and back in. Any clues on that? Thanks to all who have email me so far. -Orlando On Saturday, May 13, 2006, Steve Welham wrote: > My goal with the bridge is to filter all traffic coming in from the > outside world, while allowing servers my servers behind the bridge > to connect freely even if their traffic has to travel out to the > router and back(keep state?). > > My point of confusion is whether or not to turn on forwarding. I > have heard arguments for both. I have a transparent bridging firewall setup in the same configuration on 3.8.. IP forwarding is not enabled and the two bridge interfaces pass traffic just fine. Don't enable IP forwarding - you don't need it or want it and it opens up the opportunity for misconfiguration elsewhere to break the security on your admin interface. The bridge interface will take care of all your forwarding needs. IP forwarding is required if you want your box to route IP packets using the routing table - this is not relevant to you because your firewall interfaces do not have IP addresses. Bridging uses a MAC forwarding database to forward Ethernet frames... IP doesn't even come into it. -- Best regards, Orlando L. Castro
Re: To forward, or not to forward
> My goal with the bridge is to filter all traffic coming in from the > outside world, while allowing servers my servers behind the bridge > to connect freely even if their traffic has to travel out to the > router and back(keep state?). > > My point of confusion is whether or not to turn on forwarding. I > have heard arguments for both. I have a transparent bridging firewall setup in the same configuration on 3.8.. IP forwarding is not enabled and the two bridge interfaces pass traffic just fine. Don't enable IP forwarding - you don't need it or want it and it opens up the opportunity for misconfiguration elsewhere to break the security on your admin interface. The bridge interface will take care of all your forwarding needs. IP forwarding is required if you want your box to route IP packets using the routing table - this is not relevant to you because your firewall interfaces do not have IP addresses. Bridging uses a MAC forwarding database to forward Ethernet frames... IP doesn't even come into it.
Re: To forward, or not to forward
On Fri, May 12, 2006 at 05:06:31PM -0700, [EMAIL PROTECTED] wrote: > If I'm not using NAT, do I still need to use forwarding? Only if you want packets coming in on one interface to go out another interface. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: To forward, or not to forward
Dear misc, If I'm not using NAT, do I still need to use forwarding? -Orlando On Friday, May 12, 2006, Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] > My goal with the bridge is to filter all traffic coming in from the > outside world, while allowing servers my servers behind the bridge > to connect freely even if their traffic has to travel out to the > router and back(keep state?). > > My point of confusion is whether or not to turn on forwarding. I > have heard arguments for both. > > One person believes that setting forwarding to 1 bypasses pf. > Another believes that setting forwarding to 0 increases performance. Forwarding allows packets to travel from one interface to another. To my knowledge, you won't pass traffic through your firewall without it enabled. Examples of transparent firewalls always enable it: http://ezine.daemonnews.org/200207/transpfobsd.html http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html And as for a bridge, you don't have an "in" interface and an "out" interface, as you would with a L3-aware system. A bridge is a layer 2 device, so you can simplify your ruleset and thought process by passing all of your traffic on one interface, and just applying your filters to the other interface. DS -- Best regards, Orlando L. Castro
Re: To forward, or not to forward
From: [EMAIL PROTECTED] > My goal with the bridge is to filter all traffic coming in from the > outside world, while allowing servers my servers behind the bridge > to connect freely even if their traffic has to travel out to the > router and back(keep state?). > > My point of confusion is whether or not to turn on forwarding. I > have heard arguments for both. > > One person believes that setting forwarding to 1 bypasses pf. > Another believes that setting forwarding to 0 increases performance. Forwarding allows packets to travel from one interface to another. To my knowledge, you won't pass traffic through your firewall without it enabled. Examples of transparent firewalls always enable it: http://ezine.daemonnews.org/200207/transpfobsd.html http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html And as for a bridge, you don't have an "in" interface and an "out" interface, as you would with a L3-aware system. A bridge is a layer 2 device, so you can simplify your ruleset and thought process by passing all of your traffic on one interface, and just applying your filters to the other interface. DS