From owner-freebsd-pf@FreeBSD.ORG Thu Dec 2 03:39:25 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9442916A4CE for ; Thu, 2 Dec 2004 03:39:25 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 153E443D1F for ; Thu, 2 Dec 2004 03:39:25 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iB23cZAh063845 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 2 Dec 2004 12:38:36 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iB23dMDC012537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Dec 2004 12:39:22 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iB23dKax012536; Thu, 2 Dec 2004 12:39:20 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Thu, 2 Dec 2004 12:39:20 +0900 From: Pyun YongHyeon To: gtg062h@mail.gatech.edu Message-ID: <20041202033920.GC12155@kt-is.co.kr> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7c8f27920412010523730447de@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 03:39:25 -0000 On Wed, Dec 01, 2004 at 08:23:39AM -0500, Josh Kayse wrote: [...] > > I know it's been touched on in the past, but can you explain why > stateful inspection does not work in a bridged mode? And why it only > filters for inbound traffic? Does ipfw suffer from the same feature? > Thanks. > Both pf/ipf should see inbound/outbound traffic in order to create states. But in bridge(4), pfil(9) hook for outbound packet is absent. ipfw can create states without seeing outbound packet. Maybe it would be authors intention to reduce overhead by not checking packets in both directions. I guess ipfw can't filter outbound packet in bridged setup too. Long time ago, I wrote a patch to add pfil(9) outbound hook in bridge setup. The patch makes pf's scrub rule work too. It wouldn't apply to 5.3R but you can see the point. http://www.kr.freebsd.org/~yongari/patches/bridge.patch > -josh > > -- > Joshua Kayse > Computer Engineering -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org