Date: Wed, 23 Jun 2010 09:39:08 +0200 From: Gerrit =?ISO-8859-1?Q?K=FChn?= <gerrit@pmp.uni-hannover.de> To: freebsd-net@freebsd.org Subject: firewalling broadcast and multicast packets Message-ID: <20100623093908.e73f5327.gerrit@pmp.uni-hannover.de>
next in thread | raw e-mail | index | archive | help
Hi all,
I just tried to block multicast and broadcast packets on a transparent
bridge with pf by filtering on one of the physical interfaces like this:
table <no_route> persist {10.117.255.255/32}
netbios = "netbios-ns, netbios-dgm, netbios-ssn, mdns, ipp"
block quick on $ext_if proto ipv6
block quick on $ext_if proto udp from any port { $netbios }
block quick on $ext_if proto udp to any port { $netbios }
block quick on $ext_if inet from any to <no_route>
However, the packets are still passing the bridge as can be seen with
tcpdump on the internal interface:
09:36:39.167995 IP newprintserver.fqdn-omitted.ipp >
10.117.255.255.ipp: UDP, length 94
Kernel settings are like this:
net.link.bridge.ipfw: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 1
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
I am using a recent 8.1-prerelease. Before I start putting more time in
solving this problem I just wanted to ask here if this is supposed to work
at all, or if I am doing something terribly wrong from the beginning on.
cu
Gerrit
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100623093908.e73f5327.gerrit>