Date: Thu, 16 Sep 2004 03:54:03 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: Bridging Message-ID: <20031006024636.GC735@kt-is.co.kr> In-Reply-To: <20031005201002.11d31f6e.temper@probsd.net> References: <200308262103.12394.alan@precisionautobody.com> <200308262247.46254.alan@precisionautobody.com> <01a901c36cee$09bd6810$01000001@max900> <200308271625.05235.alan@precisionautobody.com> <025801c36cfa$3e756290$01000001@max900> <1062074062.31217.14.camel@quark.avioc.org> <01ad01c370ab$a55b2bc0$01000001@max900> <1062509878.337.18.camel@quark.avioc.org> <009001c3715b$d5840eb0$01000001@max900> <20031005201002.11d31f6e.temper@probsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 05, 2003 at 08:10:02PM -0500, temper wrote: > So has anyone been testing bridging on 1.64+? >=20 > my ip-less bridge would apear at first to work but i'm having > problems where traffic is passing through even though there is a block= rule and nothing is even showing up on any "out" rules on the external i= nterface at all.=20 >=20 > I hate posting on mailing lists because theres so much explaining to d= o and it takes so long to do. I'm usualy on #pf on irc.freenode.net seeki= ng=20 > help on this subject. >=20 You have missed one important thing. Both pf and ipf can't see outgoing packets due to limitations of bridge(4) in FreeBSD. To see packets going through both in/out directions, bridge(4) should be heavily modified. For ipfw(4), this is not important. Since ipfw(4) has no ability to track established states accurately, it is meaningless to see both in/out traffics. The author of ipfw(4) might not want to see unnecessary traffic= , as it amplifies processing burden to CPU.(IMO) At present, you may do filtering with the following restrictions on bridg= e. 1. do filtering for inbound traffic only 2. use state-less rules only Yes, it has very limited use only. I am trying to modify bridge(4) to overcome this situation. However, bridge(4) is very complex code and it takes time for me to ensure correctness of my code. So I can't simply say the ETA. If I manage to work, I'll let you know via this lists. Thanks. > -temper@probsd.net >=20 Regards, Pyun YongHyeon --=20 Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031006024636.GC735>