From owner-freebsd-pf@FreeBSD.ORG  Wed Dec  1 17:43:23 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A83CC16A4CE
	for <freebsd-pf@freebsd.org>; Wed,  1 Dec 2004 17:43:23 +0000 (GMT)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 53F9D43D66
	for <freebsd-pf@freebsd.org>; Wed,  1 Dec 2004 17:43:23 +0000 (GMT)
	(envelope-from jsimola@gmail.com)
Received: by wproxy.gmail.com with SMTP id 68so971500wra
        for <freebsd-pf@freebsd.org>; Wed, 01 Dec 2004 09:43:19 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
	b=JsYWSAgroLlwQV3m9m15PnTp1A+FysRfBUdRAF1MyjRjLfcrNvpHcoRhRjyyzg7vBqiujZD8GqgwV+yfrf3eiR8MJsKyeFK3aobwgTKv9xH/NRNkZ4RZ8MTp1dondUTR2NEB8Hd0nNnChfv3unVSLjSQd306xbFE/2ZcNJ3p8bM=
Received: by 10.54.6.79 with SMTP id 79mr790299wrf;
        Wed, 01 Dec 2004 09:43:19 -0800 (PST)
Received: by 10.54.39.49 with HTTP; Wed, 1 Dec 2004 09:43:19 -0800 (PST)
Message-ID: <8eea0408041201094326d6726c@mail.gmail.com>
Date: Wed, 1 Dec 2004 09:43:19 -0800
From: Jon Simola <jsimola@gmail.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <7c8f27920412010523730447de@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <20041201045203.262D443D5C@mx1.FreeBSD.org>
	 <20041201110912.GA9840@kt-is.co.kr>
	 <7c8f27920412010523730447de@mail.gmail.com>
Subject: Re: FreeBSD bridge + filtering, BIG problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: jon@abccomm.com
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2004 17:43:23 -0000

On Wed, 1 Dec 2004 08:23:39 -0500, Josh Kayse <josh.kayse@gmail.com> wrote:

> I know it's been touched on in the past, but can you explain why
> stateful inspection does not work in a bridged mode?  And why it only
> filters for inbound traffic?  Does ipfw suffer from the same feature?

'man ipfw' and look at the PACKET FLOW section. Bridged packets are
only passed to the firewall at layer2 and only via the bdg_forward
path. There is no path through ip_output or ether_output_frame, so
it's easiest to think of ipfw being unable to check packets only as
they enter and not as they leave.