Ethernet bridging in BSD kernels (by alaric)

Oooh, while researching Proxy ARP for a transparent firewalls, I found out that the BSDs these days can do Ethernet bridging in-kernel. man brconfig, if you want more details.

Here's a handy writeup on using it to configure OpenBSD as a filtering bridge:

http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html

You can use it to bridge across any number of interfaces, in effect creating an Ethernet switch. But don't try to do this with too many ports - x86 architectures don't tend to have the IO backplane bandwidth of dedicated switch hardware!

According to the man pages, NetBSD 1.6.1 doesn't actually let you use packet filtering, but OpenBSD does. OpenBSD is a good choice for a firewall anyway, since security folks like it and have tended to pump it full of useful packet filtering options.

So does anyone know a nice supplier of small computers that can run OpenBSD and have two or more Ethernet interfaces, a cool enough CPU to not need a fan, and a flash disk that can be made readonly in hardware? A packet filter is, by definition, a single point of failure in a system, so I'd like it to be a maintenance-free device. Particularly since, lacking an actual IP address, it can't easily be contacted to check its status all that often...

2 Comments

• 

  By Zoe, Mon 6th Dec 2004 @ 10:58 pm

  Just being super obivous but you have looked at a fanless Mini-ITX board with Compact Flash to IDE Adapter (I'm not sure if you can set them to read-only) or the soekris boards?

• 

  By alaric, Tue 7th Dec 2004 @ 1:33 am

  That's exactly the kind of pointer I'm interested in. Thanks, Zoe!

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment