[avidiax]

I feel like it's easier to just have Ethernet and a strict HW firewall with the admin interfaces totally disabled (have to full reset to get back in).

You can either just block packets in one direction, or you can add a small amount of risk and allow UDP and TCP with zero payload in one direction. That would allow you to reliably stream in one direction and request from either direction, albeit with a slightly exploitable channel (timing, reliability or the space of values allowed in the protocol).

You already have to trust the RPI hardware to not enable WiFi on either side, so why not trust a router?

[wolrah]

> I feel like it's easier to just have Ethernet and a strict HW firewall with the admin interfaces totally disabled (have to full reset to get back in).

Easier? Maybe, for certain values of easy, but as others have noted it's not hard to build a data diode setup using fiber ethernet and from there you just have to hardcode some ARP data and maybe a route entry to allow UDP to flow.

The thing is that with your solution as long as the firewall works properly data shouldn't be able to leak in the wrong direction. With a proper data diode, as long as physics continues to function more or less how we understand it you can prove that data can not leak in the wrong direction. That's a huge difference, especially when it comes to explaining what you're doing to non-technical higher ups, auditors, lawyers, etc.