In my personal setup to prevent data leakage id leave the internal
adapters bridged then remove the external adapter from the bridge, then
for IPv4 you can just do standard natting for anything that needs to
leave the network but doesnt need to hit the proxy using the rdr-to
rules, then IPv6 is totally routed so there is just some internal
routing that goes on to exchange between the adapters.
On 1/9/2014 4:38 AM, Giancarlo Razzolini wrote:
Em 09-01-2014 08:13, Romain FABBRI - Alien Consulting escreveu:
In this topology :
Computers <=> Switch <=> Webfiltering bridge <=>
Router <=> Internet
Without a bridge, a system with 2 network cards won't let :
- data from the Computers going to the Router.
- data from the Router going to the Computers
It will, that is what nat was created for, and openbsd with pf does it
handsomely. They won't operate as if they were on the same network
though (broadcast). Which is a security feature, from my point of view.
How do you make it work without a bridge ???
- Maybe you're talking about a single network interface
system with just a proxy function on it
o But no real security would be added in this topology, since you
can bypass the proxy
- There could be a way to activate packets forwarding, but as
far as I know forwading requieres 2 networks
If you use your openbsd box as the gateway, not as a transparent bridge,
not only will you be able to achieve transparent interception with
squid, as you'll have all the other nice features it come along with it.
I believe that a transparent bridge could work, with an extra effort,
but I would need to rig me a setup to test it. But if you have control
over the router, I strongly suggest using 2 nics, and the openbsd
machine as your network gateway.
Cheers,
