Date: Tue, 2 Oct 2007 22:16:10 +1300 From: Andrew Thompson <thompsa@FreeBSD.org> To: Tobias Ernst <tobi@casino.uni-stuttgart.de> Cc: freebsd-pf@freebsd.org Subject: Re: Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on? Message-ID: <20071002091610.GD38352@heff.fud.org.nz> In-Reply-To: <4701FAD7.4050600@casino.uni-stuttgart.de> References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> <4701FAD7.4050600@casino.uni-stuttgart.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 02, 2007 at 11:01:27AM +0300, Tobias Ernst wrote: > Dear members of this list, > > Recently, it was stated here by Andrew Thompson that > > > anything that is destined for the > > local host is tapped off early and handled specially. > > This referred to the fact that packets passing through a bridging > firewall can be filtered on the individual inbound/outbound interfaces, > but packets destined for the bridging firewall (that has assigned an ip > address to the bridge interface) can only be filtered on the bridge > interface. > > I have now run into a problem with this. I am setting up a routing > firewall with several DMZ, but for various reasons the DMZ use the same > IP range as the internal net. I.e., the DMZ are bridged to the internal > net, and the entire IP subnet is then routed to the external world. > [...] > > However, the above rules do not match packets sent from a machine with > an illegal IP in the DMZ and destined for the firewall, because those > packets only appear on bridge0. However, when I filter the packets on > bridge0, I have no idea whether they arrived on the DMZ interface or on > the internal interface. > > Is there any other possibility of finding out which member of a bridge > an inbound packet has arrived on? Yes, a new option was added to HEAD that allows this (pfil_local_phys), it adds an additional packet filter call on the member interface for local packets. > P.S.: FreeBSD 6.2-RELEASE Its not in 6.2 unfortunately but will be MFC'd in time for 6.3 Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071002091610.GD38352>