Date: Mon, 08 Oct 2007 13:48:32 +0300 From: Tobias Ernst <tobi@casino.uni-stuttgart.de> To: freebsd-pf@freebsd.org Subject: Filtering bridge plus router - further interface woes Message-ID: <470A0B00.2040606@casino.uni-stuttgart.de> In-Reply-To: <4701FAD7.4050600@casino.uni-stuttgart.de> References: <46EDE839.8060501@criticalmagic.com> <20070917202951.GF2742@heff.fud.org.nz> <46EEE5C9.8050103@criticalmagic.com> <20070917204318.GB9614@heff.fud.org.nz> <4701FAD7.4050600@casino.uni-stuttgart.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear list, I have now applied the phys_local_phys patch on 6.2, which does its job for inbound packets to the local firewall, but I am still not able to see outbound packets on the physical interfaces. As a reminder, my firewall is bridging between various logical segments of our internal net, which consists of only 1 IP subnet, and is also acting as a router for the entire external net: bridge0 = em0, em1 (various logical segments of our internal net) bridge0 has IP x.x.x.254 (gateway for our internal net) em2 is the external interface and has IP x.x.y.123 I used "log-all" type rules to find out which interfaces the packets run through from pf's perspective. Let's consider a ssh connection from an outside computer O connected to em2 to an inside computer I connected to em0. Packets from O to I will appear, in order, on the interfaces em2, bridge0 Packets from I to O will appear, in order, on the interfaces em0, bridge0, em2 What I would like to have is to see the packet from O to I also on em0, and I would not like to see bridge0 /at all/. I have played around with the other sysctl variables. It turnes out, that setting pfil_bridge to 0 makes "em2" disappear from the list above, but bridge 0 remains, which I think is counter-intuitive or maybe even a bug. Setting pfil_member to 0 does not make any difference. Are there any further patches from -CURRENT that would make such a behaviour possible? Also, I wonder whether I could use "synproxy state" for connections from O to I. I know that "synproxy state" does not work for bridges, but those packets are arriving on em2 which is not member of the bridge and are then being routed before being put on the bridge, so there should be a possibility for proxying. However, packets still don't get through when I change a "keep state" rule to "synproxy state". TIA Regards Tobias -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?470A0B00.2040606>