patrick keshishian wrote:
On Sun, Apr 26, 2009 at 4:10 PM, bofh <goodb...@gmail.com> wrote:
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has published a paper
and here's all these smart people using it (transparent bridging, etc,
or in my case natting externally accessible/routable hosts), it pisses
me off.
People use it because they have a need to do something. B When you're
told there's a better way to do things, pay attention, instead of
telling the experts here (and I'm talking about the openbsd developers
in this thread - not me, I'm in management now, no brain cells left)
they're wrong because you have all these great URLs - if you want to
listen to those people, then you should be using the OS they use too.
so you prefer to take someone's word blindly without any backing
evidence or facts, so long as you believe they are a credible source?
Well, let say that if they spend years developing the system, including
PF and the capability of bridge and the same people tells me that it's
bad to do so. Well, HELL yes I would listen to them. They are better
mind then me and they have the code to back it up as well as their
saying too.
So, to that answer yes. They are a credible source, they design it for
crying wolf.
Maybe management is a good place for you, but I'd hate to be a
shareholder in a company people like you may have any sort of
influential role in steering its goals and/or direction.
Not relevant at all. But even if that was, contrary to the majority of
managers that only listen to marketing vapor ware, or oppose to dig up
themselves, this might, may be very good to listen to the source of
reason, and not to say as well the origin of the product oppose to
marketing people, then yes. I would. Most manager wouldn't even
understand it anyway and there is exceptions, but by all mean not the
norm, so your analogy is pointless and off topic.
"Perhaps as one of the older generation, I should preach a
little sermon to you, but I do not propose to do so. I shall,
instead, give you a word of advice about how to behave
toward your elders. When an old and distinguished person
apeaks to you, listen to him carefully and with respect -- but
do not believe him. Never put your trust in anything but your
own intellect. Your elder, no matter whether he has gray hair
or lost his hair, no matter whether he is a Nobel Laureate,
may be wrong... So you must always be skeptical -- always
think for yourself."
I am so glad for you that you are born with the knowledge you need
already and do not need to listen to anyone that might speak from years
of experience. I envy you really I do! I can't claim that gift from
birth itself.
Some might become senile at old age, yes, by the simple fact of getting
older. Still the natural path of life as we know it. May you be bless as
to never suffer that sad outcome.
But, many are still very sound and a few of them oppose to the "young
padawan" with the hope to may be, become Jedi one day, don't need to
proof anything to anyone anymore, and actually provide valuable
informations from experiences without asking anything in return and
without alternate motivations other then helping who ever are welling to
listen. Many are not withholding knowledge in the hopes of getting ahead
ans screwing you over in the process to get an edge over you. Yes, it's
rare, but there is still many people like that. I guess it comes with
self confidence and actual real knowledge. I actually welcome their
input. But do as you wish, no one is stoping you rally. (;>
As for why not to do bridge setup. May be something as simple as for one
example that comes to mind. Your bridge needs to work in promiscuous
mode and will see, received and process all kind of crap that it
wouldn't need to do otherwise.
More resources will be use on the bridge that could be better use else
where. Should I also add that a miss configuration of a bridge can stay
undetected for years, oppose to a miss configuration of a decent
firewall not in bridge mode would become more obvious sooner in most
cases anyway. Call that security by default setup if you like. (;>
Don't forget that the simple action to put a box in bridge mode have the
effect to pass all traffic across it. You may think your bridge is
working as the traffic is passing, but in reality, may be someone
affected it adversely and you can't see it.
Bridge were useful as to split LAN, years ago when switches wasn't
available then, or just too expensive to buy then.
Now, it's not the case anymore.
If you really want to use a bridge, by all mean do it.
One more example where you could temporary use a bridge that may help
you and make your life easier in the transition that I could think of is
for example when you need to protect a complete LAN that have lots of
servers, computers, etc behind it and that are all setup with static
IP's and that you are in the process of replacing, working to a
different ISP, or changing the LAN setup. In that case putting a bridge
there in the direct path and use one free IP's you have available to you
from the range you have assigned to you make the process easier and
faster and then you can make the changes you need one at a time, etc.
But even that, you don't need anIP for it if you want to work on the
console of the bridge at all time.
So, the transition from one setup to an other is much easier and nothing
stop working as you do the setup, as long as you don't create your own
problem, but after your setup is cleaned up, why would you want to keep
using it really?
The bright people that did the code said it wasn't good to do so. The
normal operations of such a setup needs more resources from the same box
to do the same things, showing in practice that it's not the most
efficient way to do so with hard numbers to proof it. Just look at top
for the same box, doing the same thing, one in bridge mode and one in
routing mode. Look at your interrupts level, the interrupts process, the
traffic it needs to process, the useless aditional data that it needs to
also process from the promiscous mode alone and the additional easy way
to have a miss configure box that will pass the traffic because of the
bridge mode enable where you might think it's running as it should. If
all that and more that I haven't put here doesn't convince you, then
please by all mean do so and run bridge mode on your firewall.
But, as far as myself based on the above, that is plenty already with
the additions of the great mind that designed it to start with in PF and
OpenBSD tells me it's bad, I am not stupid and I will listen to them. If
the above doesn't convince me, or I didn't know the above, then I might
asked to know more, but still I would respect their knowledge that is
sure in that specific subject much higher then mine.
And that have nothing to do with older generation, even if I would
consider myself in that category anyway. It has everything to do with
knowledge and facts put into place in the code by these same persons.
I really hope this provide you some more details and answers to your
question and if not, then so be it. I will not take more time trying to
explain it with more details or examples. I thought to provide you some
examples however that are very obvious if you think about it for a few
seconds. And this email is already to long as it is.
No one is forcing you and the world, for the most part anyway, is still
a free place, even if it doesn't fell that way much anymore these days. (;>
You asked a question, you got an answer. You don't like the answer and
don't want to listen to it, then don't.
But, don't try to convince others that it is the way to go or that there
isn't a better way, because in that case, yes you would definitely be
wrong. (;>
With all due respect, from an older men that yes lost some of his hair
and most definitely will loose more, I hope it give you something to
think about, but don't take my words for it. Go test it yourself and
just look at some examples I put above and make your own conclusions.
Best regards,
Daniel