From owner-freebsd-ipfw@FreeBSD.ORG  Tue Nov  8 19:02:29 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5B2C7106566B
	for <freebsd-ipfw@freebsd.org>; Tue,  8 Nov 2011 19:02:29 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from asmtpout030.mac.com (asmtpout030.mac.com [17.148.16.105])
	by mx1.freebsd.org (Postfix) with ESMTP id 422918FC12
	for <freebsd-ipfw@freebsd.org>; Tue,  8 Nov 2011 19:02:29 +0000 (UTC)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from cswiger1.apple.com ([17.209.4.71])
	by asmtp030.mac.com (Oracle Communications Messaging Server 7u4-23.01
	(7.0.4.23.0) 64bit (built Aug 10 2011))
	with ESMTPSA id <0LUC001VWSRB7850@asmtp030.mac.com> for
	freebsd-ipfw@freebsd.org; Tue, 08 Nov 2011 10:02:00 -0800 (PST)
X-Proofpoint-Virus-Version: vendor=fsecure
	engine=2.50.10432:5.4.6813,1.0.211,0.0.0000
	definitions=2011-11-08_05:2011-11-08, 2011-11-08,
	1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0
	classifier=spam
	adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000
	definitions=main-1111080175
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <CAKOsuLp4nfMk_ZQqpGTxLJkkoEzQBBVHDZnkTVznadzifPmHAQ@mail.gmail.com>
Date: Tue, 08 Nov 2011 10:01:58 -0800
Message-id: <16D97773-945E-480E-9645-0AC705766536@mac.com>
References: <CAKOsuLp4nfMk_ZQqpGTxLJkkoEzQBBVHDZnkTVznadzifPmHAQ@mail.gmail.com>
To: Korodev <korodev@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Protecting bridge interface via external interface and IPFW
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2011 19:02:29 -0000

On Nov 8, 2011, at 7:54 AM, Korodev wrote:
[ ... ]
> Are there any modifications, whether it be patches, sysctl tunings, or
> virtual interface trickery to allow IPFW to act as a "shield" to my
> libpcap program?

It's intentional that libpcap/BPF sees traffic before firewall rules, routing, and so forth are done.  However, if the traffic is only coming from one side, you might get the desired effect by having your program listen to the other side of the bridge (ie, physical interface).

Failing that, you could change your monitoring tool to not pay attention to the traffic you want it to ignore.

Regards,
-- 
-Chuck