Date: Thu, 26 Nov 2009 08:54:32 +0000 From: krad <kraduk@googlemail.com> To: Vincent Hoffman <vince@unsane.co.uk> Cc: Brian McCann <bjmccann@gmail.com>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: pf nuttyness Message-ID: <d36406630911260054s4b369ed2y6bc46c9a6da55da@mail.gmail.com> In-Reply-To: <4B0D3897.808@unsane.co.uk> References: <2b5f066d0911241502x2395b7aey328455f67a9b5d6@mail.gmail.com> <d36406630911250148v23da0853le54fb7e48ff6da64@mail.gmail.com> <4B0D3897.808@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/11/25 Vincent Hoffman <vince@unsane.co.uk> > krad wrote: > > 2009/11/24 Brian McCann <bjmccann@gmail.com> > > > > > >> I'm at the end of my rope here with PF. I have a ruleset loaded, that > >> is long and complicated...but I've shortened to to a "pass all" rule. > >> The box has 4 interfaces, one for pfsync, one for me to connect to it, > >> and two bridged interfaces. The only traffic on the bridged > >> interfaces is STP and IP multicast traffic from my EIGRP routers. > >> When I run "pfctl -s rules -v", the EIGRP multicast traffic never hits > >> any rules...yet it's allowed. > >> > >> I'm on FreeBSD 7.1. > >> > >> Has anyone else come across this before? I'm ready to throw out > >> FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since > >> I use FreeBSD for all my other servers, and having 2 OpenBSD boxes > >> would just be... weird... > >> > >> --Brian > >> > > Have you read the if_bridge(4) manpage? I'd reccommend starting at the > heading "PACKET FILTERING" and checking you have the correct sysctl > settings. > pf certainly can filter bridge interfaces according to the manpage. That > said I've never tried it. > > > Vince > >> -- > >> _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ > >> Brian McCann > >> > >> "I don't have to take this abuse from you -- I've got hundreds of > >> people waiting to abuse me." > >> -- Bill Murray, "Ghostbusters" > >> _______________________________________________ > >> freebsd-questions@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >> To unsubscribe, send any mail to " > >> freebsd-questions-unsubscribe@freebsd.org" > >> > >> > > > > pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink) > > therefore the traffic probably never get to the upper layer of the ip > stack > > where pf works. > > > > You can do l2 filtering with ipfw if you enable the sysctl variable > > net.link.bridge.ipfw=1. However im not sure if you can do it with pf on > > freebsd. I had a quick scout through the man pages and cant see anything. > > However im fairly sure you can to l2 stuff with pf in openbsd. > > > > As your traffic is multicast you could always configure you bsd box as a > > multicast router rather than bridging the traffic. pf should see the > traffic > > then as your working at l3 and above > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > > > i think this is the one you want echo net.link.bridge.pfil_bridge=1 >> /etc/sysctl.conf /etc/rc.d/sysctl restart
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d36406630911260054s4b369ed2y6bc46c9a6da55da>