|
||||||||||
I'm kinda confused here! Can you make a little schematic like this please: Servers/Clients --- LAN Switch --- LAN m0n0wall bridged OPT1 --- Internet Connection router (this, by the way should be a working example for bridged firewalling) Regards, Joachim -----Original Message----- From: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si] Sent: dinsdag 18 november 2003 11:59 To: Manuel Kasper Cc: m0n0wall at lists dot m0n0 dot ch Subject: Re: [m0n0wall] Bridge again :) Well my purpose is bridged firewall (filtering bridge). The way filtering bridge would work (AFAIK) is "put 2 interfaces, into bridged mode, ipless and connect them in the midle of your LAN - Router connection". The third interface is there only for sake of administering firewall via WEB interface. As i understand it this is how Bruce designed the whole filtering bridge thing here. Or maybe not :). OPT1 is not DMZ for me, and my LAN is network of public IPs, so i'm not concerned with that (i.e. security) right now :) There aren't any servers that would be conected via OPT1. I'd be more than happy to use only 2 interfaces, put them into bridged mode and get away with it. But u can't bridge WAN and LAN as it is right now. I'll be working on that when i have time, but thought i'd use what it is and the way it's supposed to work right now Thx, Hob ----- Original Message ----- > OPT1(bridged, ipless) and LAN are on same switch. Ouch! Kinda defeats the purpose of having a separate optional interface, doesn't it? If one of your servers is compromised -> voilà, instant full access to your LAN. > Access to web interface from some computer on LAN sometimes timeouts > and is > slow. If i disconnect OPT1 from switch, everything is allright. So just do it the right way and use a separate switch, so having a separate optional interface will actually make sense. ;) > please try this patch (provided by jlemon) FreeBSD 4.9 already has this patch. FreeBSD's ARP gets majorly confused if it finds two interfaces connecting to the same broadcast domain (I can't blame it, either - a setup like that just doesn't usually make good sense). - Manuel --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch ----------------------------------------------- MISSION STATEMENT ----------------------------------------------- Océ enables its customers to manage their documents efficiently and effectively by offering innovative print and document management products and services for professional environments. ----------------------------------------------- DISCLAIMER ----------------------------------------------- This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (0032-2-729.48.11) or by e-mail and delete the material from any computer. Oce-Belgium/Oce-Interservices is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time. This e-mail message does not bring about a contractual obligation for Oce-Belgium/Oce-Interservices. Thank you for your cooperation. For further information about Oce-Belgium/Oce-Interservices please see our website at www.oce.be ----------------------------------------------- |