On Mon, Apr 27, 2009 at 11:20:07PM +0200, Felipe Alfaro Solana wrote:
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst ted.unan...@gmail.com wrote:
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
felipe.alf...@gmail.com wrote:
Again, not a single or valid technical argument on why a
Now it makes sense.
Claudio Jeker wrote:
snip
but it is sitting in the middle of your network passing
packets. I couldn't sleep with such a system in my core.
It is also a lot easier to bypass unnoticed a bridging FW/IDS
then a box
that does actual routing.
THAT's why it is called a
On 2009-04-28, Daniel Ouellet dan...@presscom.net wrote:
Henning Brauer wrote:
* Daniel Ouellet dan...@presscom.net [2009-04-28 02:49]:
shut up! All are real and I even learn from Henning about the lost of
Queue here as well, witch I haven't thought of then. So, loose of queue,
mean also
Stuart Henderson wrote:
On 2009-04-28, Daniel Ouellet dan...@presscom.net wrote:
Henning Brauer wrote:
* Daniel Ouellet dan...@presscom.net [2009-04-28 02:49]:
shut up! All are real and I even learn from Henning about the lost of
Queue here as well, witch I haven't thought of then. So, loose
On Tue, Apr 28, 2009 at 8:35 AM, Claudio Jeker cje...@diehard.n-r-g.com wrote:
Did you ever check the security record of snort? It is at least as bad as
wireshark's but it is sitting in the middle of your network passing
packets. I couldn't sleep with such a system in my core.
It is also a
Felipe Alfaro Solana wrote:
Isn't this how humans learn? By making mistakes and learning
from them? :)
Nah not really.
They watch their brother or sister get burned by a hot stove and
decide maybe better not to find out for themselves.
They watch one of their playmates drown or get run
* Stuart Henderson s...@spacehopper.org [2009-04-28 12:08]:
On 2009-04-28, Daniel Ouellet dan...@presscom.net wrote:
Henning Brauer wrote:
* Daniel Ouellet dan...@presscom.net [2009-04-28 02:49]:
shut up! All are real and I even learn from Henning about the lost of
Queue here as well,
On Mon, Apr 27, 2009 at 4:10 AM, Daniel Ouellet dan...@presscom.net wrote:
The bright people that did the code said it wasn't good to do so. The normal
operations of such a setup needs more resources from the same box to do the
same things, showing in practice that it's not the most efficient
* Felipe Alfaro Solana felipe.alf...@gmail.com [2009-04-26 20:37]:
On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer lists-open...@bsws.dewrote:
* openbsder openbs...@gmail.com [2009-04-24 12:19]:
Recently, it has been suggested that a transparent firewall
implementation
is ideal where
* FRLinux frli...@gmail.com [2009-04-27 09:05]:
On Mon, Apr 27, 2009 at 4:10 AM, Daniel Ouellet dan...@presscom.net wrote:
The bright people that did the code said it wasn't good to do so. The normal
operations of such a setup needs more resources from the same box to do the
same things,
* Henning Brauer lists-open...@bsws.de [2009-04-27 10:00]:
transparent firewalls are beyond stupid.
and, btw, I love that idiotic term.
what is a transparent firewall?
is it trasparent? then it cannot be a firewall.
is it a firewall? then it cannot be transparent.
how is dropping packets (or
Felipe Alfaro Solana wrote:
On Mon, Apr 27, 2009 at 1:10 AM, bofh goodb...@gmail.com wrote:
People use it because they have a need to do something. When you're
told there's a better way to do things, pay attention,
Still no arguments on why idiots use transparent firewalls. Good to know.
On Mon, Apr 27, 2009 at 5:10 AM, Daniel Ouellet dan...@presscom.net wrote:
patrick keshishian wrote:
On Sun, Apr 26, 2009 at 4:10 PM, bofh goodb...@gmail.com wrote:
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has
* Felipe Alfaro Solana felipe.alf...@gmail.com [2009-04-27 11:56]:
For a two-interface router/firewall, most of the traffic that reaches is
will probably have to traverse it anyways, so I don't see how a
two-interface bridge or a two-interface router will have different
workloads.
it has been
/technology/handbook/Bridging-Basics.html
Best,
Marcello
- Original Message -
From: Daniel Ouellet dan...@presscom.net
To: Openbsd-Misc misc@openbsd.org
Sent: Monday, April 27, 2009 12:10 AM
Subject: Re: Transparent firewall (bridge) with DMZ + LAN
patrick keshishian wrote:
On Sun, Apr 26
On Mon, Apr 27, 2009 at 1:00 PM, Henning Brauer lists-open...@bsws.dewrote:
* Felipe Alfaro Solana felipe.alf...@gmail.com [2009-04-27 11:56]:
For a two-interface router/firewall, most of the traffic that reaches is
will probably have to traverse it anyways, so I don't see how a
-33_snort_EN.pdf
and not a pure bridge, as described in the links you sent.
Best,
Marcello
- Original Message - From: Daniel Ouellet dan...@presscom.net
To: Openbsd-Misc misc@openbsd.org
Sent: Monday, April 27, 2009 12:10 AM
Subject: Re: Transparent firewall (bridge) with DMZ + LAN
On Sun, 26 Apr 2009, Felipe Alfaro Solana wrote:
SNIP
Really? What's wrong with transparent bridging? What's wrong with a
transparent, in-line IDS? What's wrong with a software tap? All of these
technologies use some sort of transparent bridging and are not being used
exclusively by idiots, but
On Sun, 26 Apr 2009, bofh wrote:
Anyone who puts in an inline IDS is a damned idiot. D stands for
detection, so you should always use a tap or something else. Only IPS
should be inline.
I know of inline IDS systems that work, but they're custom hardware
solutions running on FPGA based
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
felipe.alf...@gmail.com wrote:
Again, not a single or valid technical argument on why a bridging firewall
is a bad idea. Just a moot and offensive responsive, and a very
strong assessment from someone that doesn't know me at all. It's also
You can either read the code or listen to somebody who has. I don't
know you either, but I know Henning and I know the bridge code, and
the short version is he's right.
Has anyone noticed
That if you substitute BIble for code , in the section quoted above-
its like listening to someone who
On Mon, Apr 27, 2009 at 3:02 PM, openbsd misc open...@6wells.com wrote:
You can either read the code or listen to somebody who has. I don't
know you either, but I know Henning and I know the bridge code, and
the short version is he's right.
Has anyone noticed
That if you substitute BIble
openbsd misc wrote:
You can either read the code or listen to somebody who has. I don't
know you either, but I know Henning and I know the bridge code, and
the short version is he's right.
Has anyone noticed
That if you substitute BIble for code , in the section quoted above-
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst ted.unan...@gmail.com wrote:
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
felipe.alf...@gmail.com wrote:
Again, not a single or valid technical argument on why a bridging
firewall
is a bad idea. Just a moot and offensive responsive,
On Mon, Apr 27, 2009 at 3:02 PM, openbsd misc open...@6wells.com wrote:
You can either read the code or listen to somebody who has. I don't
know you either, but I know Henning and I know the bridge code, and
the short version is he's right.
Has anyone noticed
That if you substitute BIble
On Mon, 27 Apr 2009 23:20:07 +0200
Felipe Alfaro Solana felipe.alf...@gmail.com wrote:
And again, I think you mean that running a bridge under OpenBSD is
perhaps not the fastest or brightest solution. And I trust you, But
again, I have yet to hear a single technical argument on why running,
On 4/27/09, Felipe Alfaro Solana felipe.alf...@gmail.com wrote:
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst ted.unan...@gmail.com wrote:
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
felipe.alf...@gmail.com wrote:
Again, not a single or valid technical argument on why a bridging
On Tue, Apr 28, 2009 at 1:16 AM, Robert rob...@openbsd.pap.st wrote:
On Mon, 27 Apr 2009 23:20:07 +0200
Felipe Alfaro Solana felipe.alf...@gmail.com wrote:
And again, I think you mean that running a bridge under OpenBSD is
perhaps not the fastest or brightest solution. And I trust you, But
On Tue, Apr 28, 2009 at 1:29 AM, Fred Crowson
fred.crow...@googlemail.comwrote:
On 4/27/09, Felipe Alfaro Solana felipe.alf...@gmail.com wrote:
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst ted.unan...@gmail.com
wrote:
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
On Mon, Apr 27, 2009 at 5:20 PM, Felipe Alfaro Solana
felipe.alf...@gmail.com wrote:
And again, I think you mean that running a bridge under OpenBSD is perhaps
not the fastest or brightest solution. And I trust you, But again, I have
yet to hear a single technical argument on why running, for
* Felipe Alfaro Solana felipe.alf...@gmail.com [2009-04-28 02:08]:
And again, I think you mean that running a bridge under OpenBSD is
perhaps
not the fastest or brightest solution. And I trust you, But again, I have
yet to hear a single technical argument on why running, for example,
* Daniel Ouellet dan...@presscom.net [2009-04-28 02:49]:
shut up! All are real and I even learn from Henning about the lost of
Queue here as well, witch I haven't thought of then. So, loose of queue,
mean also lost of AltQ too.
no, this is not related to altq at all.
--
Henning Brauer,
Henning Brauer wrote:
* Daniel Ouellet dan...@presscom.net [2009-04-28 02:49]:
shut up! All are real and I even learn from Henning about the lost of
Queue here as well, witch I haven't thought of then. So, loose of queue,
mean also lost of AltQ too.
no, this is not related to altq at all.
Felipe Alfaro Solana wrote:
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst ted.unan...@gmail.com wrote:
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana
felipe.alf...@gmail.com wrote:
Again, not a single or valid technical argument on why a bridging
firewall
is a bad idea. Just a moot
On Sun, Apr 26, 2009 at 1:39 AM, Daniel Ouellet dan...@presscom.net wrote:
But he is suggesting to avoid it at any cost when possible.
Sorry but I do not understand why?
Cheers,
Steph
On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer lists-open...@bsws.dewrote:
* openbsder openbs...@gmail.com [2009-04-24 12:19]:
Recently, it has been suggested that a transparent firewall
implementation
is ideal where possible. But as far as I understand, transparency is only
available
On Sun, April 26, 2009 08:01, FRLinux wrote:
On Sun, Apr 26, 2009 at 1:39 AM, Daniel Ouellet dan...@presscom.net
wrote:
But he is suggesting to avoid it at any cost when possible.
Sorry but I do not understand why?
Cheers,
Steph
me too. really curious about his.
matheus
--
We will call
Anyone who puts in an inline IDS is a damned idiot. D stands for
detection, so you should always use a tap or something else. Only IPS
should be inline.
You obviously do not know what you're talking about. Things like NAT
have their uses to, but people who design networks including DMZs and
On Sun, Apr 26, 2009 at 9:21 PM, bofh goodb...@gmail.com wrote:
Anyone who puts in an inline IDS is a damned idiot. D stands for
detection, so you should always use a tap or something else. Only IPS
should be inline.
You should provide arguments, not empty words. At least, if you are
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has published a paper
and here's all these smart people using it (transparent bridging, etc,
or in my case natting externally accessible/routable hosts), it pisses
me off.
People use
On Mon, Apr 27, 2009 at 1:10 AM, bofh goodb...@gmail.com wrote:
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has published a paper
and here's all these smart people using it (transparent bridging, etc,
or in my case natting
bofh wrote:
... When you're
told there's a better way to do things, pay attention, instead of
telling the experts here (and I'm talking about the openbsd developers
in this thread - not me, I'm in management now, no brain cells left)
... old age is my excuse ... but it pays to pay attentiion
On Sun, Apr 26, 2009 at 4:10 PM, bofh goodb...@gmail.com wrote:
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has published a paper
and here's all these smart people using it (transparent bridging, etc,
or in my case natting
patrick keshishian wrote:
On Sun, Apr 26, 2009 at 4:10 PM, bofh goodb...@gmail.com wrote:
It's called going off on a related tangent - whenever I hear people
talking about using something because someone has published a paper
and here's all these smart people using it (transparent bridging,
* openbsder openbs...@gmail.com [2009-04-24 12:19]:
Recently, it has been suggested that a transparent firewall implementation
is ideal where possible. But as far as I understand, transparency is only
available when the firewall acts as a bridge between TWO networks. How would
I keep my DMZ
On Sat, Apr 25, 2009 at 2:57 PM, Henning Brauer lists-open...@bsws.de wrote:
bridging is stupid. don't. there are cases where you can't avoid it,
but deliberately? about as clever as knowingly drinking methanol.
Hello Henning,
Sorry for asking, but just to make sure I understand your
FRLinux wrote:
On Sat, Apr 25, 2009 at 2:57 PM, Henning Brauer lists-open...@bsws.de wrote:
bridging is stupid. don't. there are cases where you can't avoid it,
but deliberately? about as clever as knowingly drinking methanol.
Hello Henning,
Sorry for asking, but just to make sure I
I'm currently interested in setting up a three-legged network, using OBSD+PF
as the firewall. Originally, I had jus
I am currently interested in setting up a three-legged network topology,
using OBSD+PF as the firewall appliance. Originally, I was going to simply
have the firewall equipped with three network cards: one for DMZ, one for
LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was
On Fri, Apr 24, 2009 at 12:12 PM, openbsder openbs...@gmail.com wrote:
I am currently interested in setting up a three-legged network topology,
using OBSD+PF as the firewall appliance. Originally, I was going to simply
have the firewall equipped with three network cards: one for DMZ, one for
Sorry for the confusion. I understand that bridging is possible under
OpenBSD but it's also my understanding that if I have interfaces A, B, and
C, I can bridge A to either B or C, but not both. Is this correct?
Referring to this topology:
51 matches
Mail list logo