On Wednesday 30 October 2002 02:01, SB CH wrote: > hello all. Hello
> I have some questions about bridge firewall. > 1. Do you know any commercial firewall solutions using bridging firewall > instead of nat? I don't. > 2. some documents say that the performance of the bridge is better than nat > because that the bridge is layer 2 and nat is layer 3, right? That's true. If you use a bridge/firewall, the performance will drop, however. All packets coming in on a bridge device and that are destined for the bridge itself will be queued twice, which is a performance killer. See the ebtables mailing list archive. The brouting facility of ebtables can be used to get around that. > 3. I have 3 C classes network. and the ip address range of the host which > is in the bridge network is not alike. some host is 211.1.1.1, 211.1.2.1 > 211.1.3.1 (netmaks is 255.255.255.0) is it available? A bridge doesn't care about IP addresses, only about MAC addresses. > 4. what is the stp problem? and how can I solve this problem? Stp can be used to prevent network loops and probably more stuff, I'm not familiar with it. I don't know of any problems... > 5. in bridging, can I use mangle table or not? If you have the bridge-nf patch, yes. > if i set the ip address at the br interface, > then I should use INPUT and FORWARD chain? Yes. > 6. any available problem when I operating bridge firewall? Queueing bridged packets with iptables will probably not work right. This sounds like a strange thing to do anyway, for bridged packets. Has anyone tried this? -- cheers, Bart _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
