From owner-freebsd-questions@FreeBSD.ORG Thu Nov 26 08:54:34 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03F601065676 for ; Thu, 26 Nov 2009 08:54:34 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 641AE8FC13 for ; Thu, 26 Nov 2009 08:54:33 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e12so1975394fga.13 for ; Thu, 26 Nov 2009 00:54:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=T9Qz444ao2AbwbnAQCQWlJwr2rCypzaYG5ngoUnXBBc=; b=oOIi+KP+9xqGhph4uQSFkGg5eoYmx2vWGm9TpccEq9Cdznjv93dZip0546ttVudAsR sZG6PD1hV85o9oJ5wCVhRX/KNP/tUe5Zl8K9JDPVpvpEJ8Z22dYtRaXU3TIVcig9zUoI jCW+K8bYvAJhVGBObg/WW9ifqHDX6HMrNUkjc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=MvDbvk36G3MzATfcIGV5gimSRnvvPK9O9lTmeRXOJlo5PLnK/ytuB5WoRBWabo1VJT e2Wh4gZrvNKd+V2iEB0whHjN7YdZvQfguY+BHNwi/q7deh9+n7j8lFsoU7DYs8yLRzYt T58Hh+qRcnIsYAx1hpQPoAfUb7YMyY4aZkO4A= MIME-Version: 1.0 Received: by 10.239.183.37 with SMTP id s37mr929371hbg.90.1259225672170; Thu, 26 Nov 2009 00:54:32 -0800 (PST) In-Reply-To: <4B0D3897.808@unsane.co.uk> References: <2b5f066d0911241502x2395b7aey328455f67a9b5d6@mail.gmail.com> <4B0D3897.808@unsane.co.uk> Date: Thu, 26 Nov 2009 08:54:32 +0000 Message-ID: From: krad To: Vincent Hoffman Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Brian McCann , freebsd-questions Subject: Re: pf nuttyness X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Nov 2009 08:54:34 -0000 2009/11/25 Vincent Hoffman > krad wrote: > > 2009/11/24 Brian McCann > > > > > >> I'm at the end of my rope here with PF. I have a ruleset loaded, that > >> is long and complicated...but I've shortened to to a "pass all" rule. > >> The box has 4 interfaces, one for pfsync, one for me to connect to it, > >> and two bridged interfaces. The only traffic on the bridged > >> interfaces is STP and IP multicast traffic from my EIGRP routers. > >> When I run "pfctl -s rules -v", the EIGRP multicast traffic never hits > >> any rules...yet it's allowed. > >> > >> I'm on FreeBSD 7.1. > >> > >> Has anyone else come across this before? I'm ready to throw out > >> FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since > >> I use FreeBSD for all my other servers, and having 2 OpenBSD boxes > >> would just be... weird... > >> > >> --Brian > >> > > Have you read the if_bridge(4) manpage? I'd reccommend starting at the > heading "PACKET FILTERING" and checking you have the correct sysctl > settings. > pf certainly can filter bridge interfaces according to the manpage. That > said I've never tried it. > > > Vince > >> -- > >> _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ > >> Brian McCann > >> > >> "I don't have to take this abuse from you -- I've got hundreds of > >> people waiting to abuse me." > >> -- Bill Murray, "Ghostbusters" > >> _______________________________________________ > >> freebsd-questions@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >> To unsubscribe, send any mail to " > >> freebsd-questions-unsubscribe@freebsd.org" > >> > >> > > > > pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink) > > therefore the traffic probably never get to the upper layer of the ip > stack > > where pf works. > > > > You can do l2 filtering with ipfw if you enable the sysctl variable > > net.link.bridge.ipfw=1. However im not sure if you can do it with pf on > > freebsd. I had a quick scout through the man pages and cant see anything. > > However im fairly sure you can to l2 stuff with pf in openbsd. > > > > As your traffic is multicast you could always configure you bsd box as a > > multicast router rather than bridging the traffic. pf should see the > traffic > > then as your working at l3 and above > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > > > i think this is the one you want echo net.link.bridge.pfil_bridge=1 >> /etc/sysctl.conf /etc/rc.d/sysctl restart