thanks for the quick responses..
> > corp_net = "{ 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24,
> > 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 192.168.8.0/26 }"
> > dev_net = "{ 192.168.77.128/25 }" dmz_net = "{ 192.168.78.208/29,
> > 192.168.191.64/26 }"
>
> Maybe you could try 10. IPs
> They are more user-friendly...
>
The IP's are fictitious. In reality the addresses will be from real routable
space.
> Well, first of all a lot of antisp00f stuff are missing.
> Also egress filtering could be wanted.
> You said that other things will be added, so I'll do not add
> any rules, however I think these rules are good for a filter
> not for a firewall. I mean they filter, but don't use all the
> power of THE Packet Filter.
>
The antispoofing stuff will come later. I'm not sure what you mean about
egress filtering. Due to the nature of the bridge, I am filtering inbound
and outbound (ingress and egress) to accommodate stateful traffic flow.
I'm also interested in hearing more on what you mean by the rules being good
for a filter not a firewall - I would say that any packet filter is a
firewall.
Remember the general idea for anyone implementing a transparent bridge is
usually to hide the presence of any packet filtering device. Well, it is for
me anycase. To this end, such things are return-icmp-as-destination type
rules are not ideal - if that is what you are referring to when talking
about the power of the packet filter..
Cheers,
Adrian.