2. What and Why (and How?)

2.1 What

A bridge is an intelligent connecting wire betwen two network cards. A firewall is an intelligent insulator.

2.2 Why

You might want a bridge if you have several computers:

1. to save the price of a new hub when you just happen to have an extra ethernet card available.
2. to save the bother of learning how to do IP-forwarding and other tricks when you _have_ two cards in your computer.
3. to avoid maintenance work in the future when things change around!

``Several computers'' might be as few as three if those are routing or bridging or just moving around the room from time to time! You also might want a bridge just for the fun of finding out what it does. 2 was what I wanted a bridge for.

If you are really interested in 1, you have to be one of the very few. Check the NET-2-HOWTO and the Serial-HOWTO for better tricks.

You want a firewall if

1. you are trying to protect your network from external accesses, or
2. you are trying to deny access to the world outside from your network.

Curiously, I needed 2 here too. Policy at my university presently is that we should not act as internet service providers to undergraduates.

2.3 How?

I started out bridging the network cards in a firewalling machine and ended up firewalling without having cut the bridge. It seems to work and is more flexible than either configuration alone. I can take down the firewall and keep bridging or take down the bridge when I want to be more circumspect.

I would guess that the bridge code lives just above the physical device layer and the firewalling code lives one layer higher up, so that the bridging and firewalling configurations effectively act as though they are running connected together ``in sequence'' and not ``in parallel'' (ouch!). Diagram:

-> Bridge-in -> Firewall-in -> Kernel -> Firewall-out -> Bridge-out ->

There is no other way to explain how one machine can be a ``conductor'' and an ``insulator'' at the same time. There are a few caveats but I'll come to those later. Basically you must route packets that you want to firewall. Anyway, it all seems to work together nicely for me. Here is what you do ...