Re: bridge and features on virtual bridges

[Hakan Olsson <ho@crt.se>]

On 27 Nov 2002, Alexander C.H. Lorenz wrote:

> hey list, hi theo
>
> we are develop on an firewall solution.
> now we have an idea for the brodge interface:
>
> we would create the bridge as an more user system.
> let me explain:
> when a customer use an openbsd bridge for other customers (A,B,C) is
> this not a problem, all custumers from him can use the same Internet
> interface, right?
> When now the operator will give to customer C another net from ripe, can
> he use the same bridge at this moment? At the moment not, an brigde isnt
> an router.
> okay, this I know, but has anybody at the moment an idea for create this
> feature? The fw1 cant this ;)
> We discuss at the moment an mac-nat, is this possible?

Hi,

I'm not at all sure I understand what you are trying to do, but this does
not sound quite right to me. Ever heard of the term "layering violation"?
("mac-nat", huh?)

I recommend you use plain IP and IP filter mechanisms, and try to do less
level-2 magic. Go there as a last resort, don't start there.

(There seems to be more and more people wanting to invent needlessly
 complicated solutions to solve problems on a lower level instead of using
 already present solutions on the IP level. MPLS is one example. I
 suspect the reason is part politics, but largely not understanding how
 IP works or how to build networks.)

/H

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB