A bridge in our context is a machine with two or more network interfaces, located in between the Internet and one or more internal networks, and the network interfaces are not assigned IP addresses. If the machine in question runs OpenBSD or a similarly capable operating system, it is still able to filter and redirect traffic. The advantage of such a setup is that attacking the firewall itself is more difficult. The disadvantage is that all admin tasks must be performed at the firewall's console, unless you configure a network interface which is reachable via a secured network of some kind, or even a serial console.
The exact method for configuring bridges differs in some details between the operating systems. Below is a short recipe for use on OpenBSD, which for good measure blocks all non-Internet protocol traffic. Setting up a bridge with two interfaces:
/etc/hostname.xl0
up
/etc/hostname.xl1
up
/etc/bridgename.bridge0
add xl0 add xl1 blocknonip xl0 blocknonip xl1 up
/etc/pf.conf
ext_if = xl0
int_if = xl1
interesting-traffic = { ... }
block all
pass quick on $ext_if all
pass log on $int_if from $int_if to any port $interesting-traffic \
keep stateSignificantly more complicated setups are possible. Experienced bridgers recommend picking one of the interfaces to perform all filtering and redirection. All packets pass through PF's view twice, making for potentially extremely complicated rules.
In addition, the OpenBSD brconfig command offers its own set of filtering options in addition to other configuration options. The bridge(4) and brconfig(8) man pages offer further information.
FreeBSD uses a slightly different set of commands to configure bridges, while the NetBSD PF implementation does not support bridging.