Date: Sun, 18 Dec 2005 00:20:12 +0900 (JST) From: Hideki Yamamoto <yamamoto436@oki.com> To: thompsa@freebsd.org Cc: michiel@nl-hrln-ptgrf.net, freebsd-pf@freebsd.org Subject: Re: Possible bug in PF with if_bridge Message-ID: <20051218.002012.74721675.yamamoto436@oki.com> In-Reply-To: <20051213195624.GA5248@heff.fud.org.nz> References: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> <20051213195624.GA5248@heff.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I am also struggling with pf with if_bridge for RTP on ipv6. I have found a pointer of pf+bridge by searching google. That is http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000762.html. I have not tried it yet. I hope you will respond your result to share the experience. Best regards, Hideki Yamamoto From: Andrew Thompson <thompsa@freebsd.org> Subject: Re: Possible bug in PF with if_bridge Date: Wed, 14 Dec 2005 08:56:24 +1300 Message-ID: <20051213195624.GA5248@heff.fud.org.nz> > On Tue, Dec 13, 2005 at 06:07:46PM +0100, Michiel Kranenburg wrote: > > Hello all, > > > > > > I may have found a bug in PF (in combination with if_bridge) for > > FreeBSD6.0-RELEASE. > > > > > > The weird thing occurs when using PF to filter the bridge. > > Let me post my pf.conf first: (I did not post the declaration of variables > > on top of the conf) > > > > --------------------------------------------- > > scrub in all > > > > block in log on bridge0 from any to $mynet > > block return-rst in log on bridge0 proto tcp from any to $mynet > > > > pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state > > pass out on bridge0 proto {tcp,udp} from $mynet to any keep state > > > > pass on lo0 all > [...] > > > > Now comes the strange part: > > > > Behind $web and $mail are running SSH-servers. As defined by the rules, I > > don't want to allow any connection from the outside to the SSH-servers. > > BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and > > some _dont_ (as it supposed to be). > > You should probably be filtering on the member interfaces rather than > bridge0 if you are doing keep-state. > > bridge0 has no direction so packets travelling in one direction look the > same a the reverse path, this may be tripping up with stateful rules. > > Can you try changing your pf rules to filter on xl1 and xl2 and see if > you get the same behaviour. > > > p.s 6.0-RELEASE has a mbuf leak with if_bridge(4)+pfil(9), you may want > to go to RELENG_6 > > > cheers, > Andrew > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051218.002012.74721675.yamamoto436>