Ip-less bridge as firewall in high risk environments



  • Hello,

    I heard that in high risk environments, it would be of advantage to use
    an ip-less bridge(without/no IP address) as firewall.

    Could that be achieved with pfSense?

    What would be the disadvantage of such an approach?

    Thank's a lot for any feedback!

    John



  • If I understand you correctly it's transparent firewall you want.

    http://www.securityfocus.com/infocus/1737

    http://pfsense.trendchiller.com/transparent_firewall.pdf



  • Hi,

    I have it working very well, so I can advise it to you.

    The only problem that I have for now is that my hosts behind the bridge can't communicate with each other, I think it's because they want to use the gateway that is in front of the bridge and I need to make rules back inside… but that is not how it should be I think.

    For the rest it works very nice with the latest snapshot.

    Matt



  • Thank's a lot for the helpful informations!

    At the moment, my firewall (fli4l:) is also the gateway for the local WXP-lients and
    a little AD-serveer(W2K3).

    Question:
    If pfSense is set up as a transparent bridging firewall, it cannot be anymore a
    gateway (and therefore reached from the internal network with an IP) ?

    Thank's a lot for any feedback!

    John



  • @john99:

    Thank's a lot for the helpful informations!

    At the moment, my firewall (fli4l:) is also the gateway for the local WXP-lients and
    a little AD-serveer(W2K3).

    Question:
    If pfSense is set up as a transparent bridging firewall, it cannot be anymore a
    gateway (and therefore reached from the internal network with an IP) ?

    Not on the same interface. You can leave your LAN setup as it is now, add an OPT interface bridged to WAN and use it for your publicly accessible services.


Log in to reply