Date: Thu, 2 Dec 2004 12:39:20 +0900 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: gtg062h@mail.gatech.edu Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem Message-ID: <20041202033920.GC12155@kt-is.co.kr> In-Reply-To: <7c8f27920412010523730447de@mail.gmail.com> References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 01, 2004 at 08:23:39AM -0500, Josh Kayse wrote: [...] > > I know it's been touched on in the past, but can you explain why > stateful inspection does not work in a bridged mode? And why it only > filters for inbound traffic? Does ipfw suffer from the same feature? > Thanks. > Both pf/ipf should see inbound/outbound traffic in order to create states. But in bridge(4), pfil(9) hook for outbound packet is absent. ipfw can create states without seeing outbound packet. Maybe it would be authors intention to reduce overhead by not checking packets in both directions. I guess ipfw can't filter outbound packet in bridged setup too. Long time ago, I wrote a patch to add pfil(9) outbound hook in bridge setup. The patch makes pf's scrub rule work too. It wouldn't apply to 5.3R but you can see the point. http://www.kr.freebsd.org/~yongari/patches/bridge.patch > -josh > > -- > Joshua Kayse > Computer Engineering -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041202033920.GC12155>