Date: Wed, 1 Dec 2004 09:43:19 -0800 From: Jon Simola <jsimola@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem Message-ID: <8eea0408041201094326d6726c@mail.gmail.com> In-Reply-To: <7c8f27920412010523730447de@mail.gmail.com> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 1 Dec 2004 08:23:39 -0500, Josh Kayse <josh.kayse@gmail.com> wrote: > I know it's been touched on in the past, but can you explain why > stateful inspection does not work in a bridged mode? And why it only > filters for inbound traffic? Does ipfw suffer from the same feature? 'man ipfw' and look at the PACKET FLOW section. Bridged packets are only passed to the firewall at layer2 and only via the bdg_forward path. There is no path through ip_output or ether_output_frame, so it's easiest to think of ipfw being unable to check packets only as they enter and not as they leave.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8eea0408041201094326d6726c>