From owner-freebsd-net@FreeBSD.ORG  Sat Dec  4 07:43:29 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8CC8916A4CE
	for <freebsd-net@freebsd.org>; Sat,  4 Dec 2004 07:43:29 +0000 (GMT)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ECC2D43D5A
	for <freebsd-net@freebsd.org>; Sat,  4 Dec 2004 07:43:26 +0000 (GMT)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.4) with SMTP id SAA03224;
	Sat, 4 Dec 2004 18:43:17 +1100 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sat, 4 Dec 2004 18:43:17 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Max Laier <max@love2party.net>
In-Reply-To: <200412031548.02444.max@love2party.net>
Message-ID: <Pine.BSF.3.96.1041204183127.2388B-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: Petr Holub <hopet@ics.muni.cz>
cc: freebsd-net@freebsd.org
Subject: ipfw and bridging [was: pf and bridging]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2004 07:43:29 -0000

On Fri, 3 Dec 2004, Max Laier wrote:
 > On Thursday 02 December 2004 19:45, Petr Holub wrote:
 > > Hi all,
 > >
 > > I wonder if it is possible to use the new pf firewall together with
 > > bridging as it is possible to use it with ipf and ipfw.
 > 
 > Unfortunately the PFIL_HOOKS in bridge.c don't work too well for pf (or ipf 
 > for the same reason) thus you cannot use stateful filtering. There is an 
 > ongoing discussion on freebsd-pf@ that talks about the details:
 > http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000621.html
 > http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000625.html
 > http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000631.html

Read those ones for interest, but it leaves me wondering: can you use
stateful filtering in ipfw, then?  (here ipfw1 on a 4.8-RELEASE box with
BRIDGE in kernel so far, but I imagine this would apply also to ipfw2?) 

I'm aware that one can only filter incoming packets, so I've always
wondered whether stateful rules made any sense in a bridge context?
(showing off my complete ignorance of the ipfw stateful code)

Cheers, Ian