Ethernet bridges connect two or more distinct ethernet segments transparently.
An ethernet bridge distributes ethernet frames coming in on one port to other ports
associated to the bridge interface. This is accomplished with brain: Whenever the
bridge knows on which port the MAC address to which the frame is to be delivered
is located it forwards this frame only to this only port instead of polluting all
ports together.
Ethernet interfaces can be added to an existing bridge interface
and become then (logical) ports of the bridge interface.
Putting a netfilter structure on top of a bridge interface renders the bridge capable
of servicing filtering mechanisms. This way, a transparent filtering instance can be
created. It even needs no IP address assigned to work.
Of course, you can assign an IP address to the bridge interface for maintenance
purposes ( certainly, with ssh only ;-).
The advantage of this system is evident. Transparency alleviates the network
administrator of the pain of restructuring the network topology. And users may
not notice the existence of the bridge but their connection beeing blocked. Also,
users are not disturbed while working (think of a company where network connection loss
pays alot).
The other common case is a client beeing connected to the global web via a leased
router. As the providers seldomly grant administration privileges on their leasing
hardware, the client cannot change the interconnecting configuration.
But, of course, the client has a network running, and wants to spend at least as
possible, he does not want to reconfigure his entire network. And he does not need
to if he uses a bridging device.