Bridging again

[Bill Hacker]

Gergo Szakal wrote:

*snip*
WBH said:

i.e. - what is the intended service?


The intention is to transparently filter the traffic of a given 
department. I know it is appropriate, since our old bridge has been 
runnning for 17 months now. :-)
Sidenote: The IPs are public, no proxying, and there may be some traffic 
queuing (has already been tested with OpenBSD, and it worked).
(Let me tell the network topology: there are 4 departments sharing the 
same class C ( == /24) range of public IPs. The infrastructure in the HQ 
is quite old thus they are unable to mask the subnet into four /26 
ranges. I have built a bridge for each department. Now one of them got a 
new machine, and this is a great occasion for me to try DF in a 
production environment, and I am also sick & tired of OpenBSD.)
OK.  I have a *BSD bastion/air-gap/remote-service-access/local backup box on one 
client site for that.

I hate to think of replacing the old beast, as finding a MB that can hold 6 NICs 
is no longer cheap.  Some of us place greater trust in cable-plant isolation 
than mere subnets...

OTOH, there are only 4 WinBoxen left there, and I can set up each of the 
Mac(BSD) firewalls remotely by ssh'ing in thru the *BSD box, so the need is 
going away with the WinTels...

;-)

Bill