My take on this is that structuring the firewall as a bridge has
a fair number of advantages:
- transparent installation, you don't have to monkey around with
subnetting. This is *cool*.
- protocol independence, you can (if you like) handle anything that
shows up on the wire, by 'merely' writing software.
- better information. You have MAC addresses and whatnot very handy,
since you are (by definition) down in the kernel.
- I think there are some opportunities for better spoofing of
things, but as I cannot formulate why, I have a nasty suspicion that
I am wrong here.
The down sides are:
- your CPU gets hammered on busy networks, since you have to be
fondling every packet on the wire, not just stuff in-transit.
You don't have fancy filtering hardware to ditch the frames that
you don't have to look at, like a real bridge does.
- you either have to implement spanning tree stuff and interoperate
with real bridges (a pain) or accept that fact that if some idiot
puts a loop in the network, you are dead.
Has anyone tried looping a network with a SunScreen in it to see what
happens? It occurs to me that these two problems could be handled by hiding
the BridgeWall between two real bridges, though this would be weird and
wonderful.
When I was experimenting with some fast packet filtering technologies
under Linux, I implemented it in a simple bridge. Worked pretty well, simple,
seamless, and performance limited by the ethernet drivers.
Andrew
|
|
