From owner-freebsd-pf@FreeBSD.ORG Tue May 10 21:49:35 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB656106566B for ; Tue, 10 May 2011 21:49:35 +0000 (UTC) (envelope-from nicolas.greneche@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 89EEC8FC08 for ; Tue, 10 May 2011 21:49:35 +0000 (UTC) Received: by gxk28 with SMTP id 28so2905425gxk.13 for ; Tue, 10 May 2011 14:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=zcsZWZWxYhqYyYYI4zol9gaNYqauFnYgVAwiYs0rcag=; b=OO2xMNy7+3D+qhdSZEHkiArtNMeKYBKwTIRkxroVDGesOeTqKcTDTHUBzXMv415Ksy vDsIAFzve3OSQ/2Od/aB/LZhiHY+sFgIbpXhdcA2u6b7Cw5eF6RMLY6qD8Hfyey4xiLZ L/aG8trnaAB7Hf92bQNbevArv6GuCbGGqruYc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=kjZ8qX6ApIDDh2tmeFvGrB7XW1Mmz9ojrXlTxaQ/Akz6KIV89nE9HlH3wHiiYdn534 HHICemLniOe7uFFdtBs4TNTRyCxZ4O+HbJ+eG2odtbHYv4QGcSIj2lKLsONoprDFrxNw I1a/wGL9rNmiYJjRoLGup4FrE9LcaBsbkIfUc= MIME-Version: 1.0 Received: by 10.90.248.28 with SMTP id v28mr7092548agh.137.1305064174864; Tue, 10 May 2011 14:49:34 -0700 (PDT) Received: by 10.90.84.7 with HTTP; Tue, 10 May 2011 14:49:34 -0700 (PDT) In-Reply-To: <20110510173853.GA17049@insomnia.benzedrine.cx> References: <20110510173853.GA17049@insomnia.benzedrine.cx> Date: Tue, 10 May 2011 23:49:34 +0200 Message-ID: From: Nicolas GRENECHE To: Daniel Hartmeier Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Filtering on a sensor dedicated interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 21:49:35 -0000 2011/5/10 Daniel Hartmeier : > On Tue, May 10, 2011 at 06:45:08PM +0200, Nicolas GRENECHE wrote: > >> Regarding tcpdump, packets seems to go through the interface. Why does >> pf doesn't see them ? > > The destination MAC addresses of the ethernet frames do not match the > firewall's. > > By putting the interfaces into promiscuous mode, the frames are copied > to BPF readers (like tcpdump), but the host then ignores the frame. > Since the host is neither the recipient nor bridging, there is no reason > to pf filter the packet, as the frame will be dropped anyway. > > I guess you could add the interfaces to bridges or some such construct, > to get pf filtering involved. It depends on WHY you want pf to filter > something you don't want to forward, i.e. what would be the purpose of > the packet showing up on pflog. > > Daniel > Thanks a lot Daniel you put me on the right way ! The reason was that I set up the bridge with "monitoring" option which only let bpf readers aquire network and drop packet. Now It works perfectly. Regards,