Ip-less bridge as firewall in high risk environments


  • Hello,

    I heard that in high risk environments, it would be of advantage to use
    an ip-less bridge(without/no IP address) as firewall.

    Could that be achieved with pfSense?

    What would be the disadvantage of such an approach?

    Thank's a lot for any feedback!

    John


  • If I understand you correctly it's transparent firewall you want.

    http://www.securityfocus.com/infocus/1737

    http://pfsense.trendchiller.com/transparent_firewall.pdf


  • Hi,

    I have it working very well, so I can advise it to you.

    The only problem that I have for now is that my hosts behind the bridge can't communicate with each other, I think it's because they want to use the gateway that is in front of the bridge and I need to make rules back inside… but that is not how it should be I think.

    For the rest it works very nice with the latest snapshot.

    Matt


  • Thank's a lot for the helpful informations!

    At the moment, my firewall (fli4l:) is also the gateway for the local WXP-lients and
    a little AD-serveer(W2K3).

    Question:
    If pfSense is set up as a transparent bridging firewall, it cannot be anymore a
    gateway (and therefore reached from the internal network with an IP) ?

    Thank's a lot for any feedback!

    John


  • @john99:

    Thank's a lot for the helpful informations!

    At the moment, my firewall (fli4l:) is also the gateway for the local WXP-lients and
    a little AD-serveer(W2K3).

    Question:
    If pfSense is set up as a transparent bridging firewall, it cannot be anymore a
    gateway (and therefore reached from the internal network with an IP) ?

    Not on the same interface. You can leave your LAN setup as it is now, add an OPT interface bridged to WAN and use it for your publicly accessible services.