From owner-freebsd-pf@FreeBSD.ORG  Thu Dec  2 22:21:32 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9798C16A4CE
	for <freebsd-pf@freebsd.org>; Thu,  2 Dec 2004 22:21:32 +0000 (GMT)
Received: from mail.ouestil.com (home.ouestil.com [81.56.27.190])
	by mx1.FreeBSD.org (Postfix) with SMTP id 6483843D46
	for <freebsd-pf@freebsd.org>; Thu,  2 Dec 2004 22:21:31 +0000 (GMT)
	(envelope-from cmoulin@simplerezo.com)
Received: (qmail 62797 invoked by uid 98); 2 Dec 2004 22:21:29 -0000
Received: from 192.168.1.153 by xeon-web.ouestil.com (envelope-from
	<cmoulin@simplerezo.com>, uid 82) with qmail-scanner-1.24 
	(clamdscan: 0.80/533. f-prot: 4.1.1/3.13.4. spamassassin: 3.0.0.  
	Clear:RC:1(192.168.1.153):. 
	Processed in 0.270808 secs); 02 Dec 2004 22:21:29 -0000
X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via xeon-web.ouestil.com
X-Qmail-Scanner: 1.24 (Clear:RC:1(192.168.1.153):. Processed in 0.270808 secs)
Received: from unknown (HELO nbferrari) (192.168.1.153)
  by mail.ouestil.com with SMTP; 2 Dec 2004 22:21:29 -0000
From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= <cmoulin@simplerezo.com>
To: <yongari@kt-is.co.kr>
Date: Thu, 2 Dec 2004 23:21:01 +0100
Organization: SimpleRezo
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
In-Reply-To: <20041202032557.GB12155@kt-is.co.kr>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: AcTYHqmlFba7+7w6TOqs35rpHes9egAKnFww
X-Qmail-Scanner-Message-ID: <110202608969862788@xeon-web.ouestil.com>
Message-Id: <20041202222131.6483843D46@mx1.FreeBSD.org>
cc: freebsd-pf@freebsd.org
Subject: RE: FreeBSD bridge + filtering, BIG problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2004 22:21:32 -0000

 

Pyun YongHyeon wrote:

>Are you sure you can see *states* with "pfctl -ss"?
>Both pf/ipf can't create states since it couldn't see ANY outbound
>packets in bridge environments. In jail(fw01), you can see states
>since packets go through L3 hook points.

Yes I do (with pf) :

$ pfctl -ss
No ALTQ support in kernel
ALTQ related functions disabled
self tcp ...:3556 <- ...:80       CLOSED:SYN_SENT
self tcp ...:3557 <- ...:80       CLOSED:SYN_SENT
self tcp ...:2970 <- ...:80       CLOSED:SYN_SENT
self tcp ...:80 <- ...:3556       ESTABLISHED:ESTABLISHED
self tcp ...:80 <- ...:3557       ESTABLISHED:ESTABLISHED
self tcp ...:80 <- ...:2970       ESTABLISHED:ESTABLISHED
self tcp ...:80 -> ...:3559       ESTABLISHED:FIN_WAIT_2
self tcp ...:80 -> ...:3565       ESTABLISHED:FIN_WAIT_2
self udp ...:64715 -> ...:53       MULTIPLE:SINGLE
self udp ...:53 <- ...:64715       NO_TRAFFIC:SINGLE

(I have remove IP from output)

--
Clement Moulin