An Ethernet bridge consists of two or more interfaces that are configured to forward Ethernet frames transparently and are not directly visible to the upper layers, such as the TCP/IP stack. In a filtering context, the bridge configuration is often considered attractive because it means that the filtering can be performed on a machine that does not have any IP addresses of its own. If the machine in question runs OpenBSD or a similarly capable operating system, it is still able to filter and redirect traffic.

The main perceived advantage of such a setup is that attacking the firewall itself is more difficult. The disadvantage is that all admin tasks must be performed at the firewall's console, unless you configure a network ...