From owner-freebsd-pf@FreeBSD.ORG Thu Apr 21 22:04:10 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4F9516A4CE for ; Thu, 21 Apr 2005 22:04:10 +0000 (GMT) Received: from mailhost.u-strasbg.fr (mailhost.u-strasbg.fr [130.79.200.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F1EC43D39 for ; Thu, 21 Apr 2005 22:04:09 +0000 (GMT) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from sokaris.u-strasbg.fr (sokaris.u-strasbg.fr [IPv6:2001:660:2402::101])id j3LM47mq045279 ; Fri, 22 Apr 2005 00:04:07 +0200 (CEST) Received: from [192.168.0.100] (crc.u-strasbg.fr [IPv6:2001:660:2402:1001::1]) j3LM46tt060807 ; Fri, 22 Apr 2005 00:04:07 +0200 (CEST) Message-ID: <42682451.3060602@crc.u-strasbg.fr> Date: Fri, 22 Apr 2005 00:08:17 +0200 From: Philippe PEGON User-Agent: Mozilla Thunderbird 1.0 (X11/20050116) X-Accept-Language: fr, en MIME-Version: 1.0 To: Ryan Stark References: <72c3a957050411062060eea5cc@mail.gmail.com> <20050418220237.GJ867@chimie.u-strasbg.fr> <20050419015321.2b893054.syah@io.com> In-Reply-To: <20050419015321.2b893054.syah@io.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (mailhost.u-strasbg.fr [IPv6:2001:660:2402::155]); Fri, 22 Apr 2005 00:04:08 +0200 (CEST) X-Antivirus: scanned by sophos at u-strasbg.fr cc: freebsd-pf@freebsd.org Subject: Re: pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 22:04:10 -0000 Ryan Stark a écrit : > On Tue, 19 Apr 2005 00:02:37 +0200 > Guy Brand wrote: > > >>On 11 April at 13:20, Sergey Lyubka wrote: >> >> >>>I am trying to build a transparent filtering box. >>>Box is running freebsd 5.4, pf and bridge, this is >>>the setup: >> >> FreeBSD has no support for pf in its bridge code. Neither has it >> IPv6 support. >> > > I have been using using FreeBSD & pf as a transparent bridge since 5.2. > (Before that, I was using OpenBSD & pf) > > Mine looks something like this: > > in > | > | fxp0, 0.0.0.0 > ----- > | | > | |--- fxp1, (internal admin interface) > | | > ----- > | > | fxp1, 0.0.0.0 > > cat /etc/sysctl.conf > > #bridging enable for fxp0,fxp1 > net.link.ether.bridge.config=fxp0:0,fxp1:0 > net.link.ether.bridge.enable=1 > > cat rc.conf > > pflog_enable="YES" > # Set to YES to enable packet filter logging > > pf_rules="/etc/host.pf.conf" > # rules definition file for pf. different than default. mergemaster > # likes to clobber default > > pflog_enable="YES" > # Set to YES to enable packet filter logging > > > > ifconfig > > fxp0: flags=8943 mtu > 1500 options=48 > ether 00:90:27:59:03:71 > media: Ethernet autoselect (10baseT/UTP) > status: active > fxp1: flags=8943 mtu > 1500 options=48 > ether 00:a0:c9:d8:8f:b1 > media: Ethernet autoselect (100baseTX ) > status: active > > slightly dated, but fully functional ruleset can be found > here: > > http://www.io.com/sirius/pf.conf-3.3.example > > Hope that might clear up any confusion. It seems that according to an old thread (see below) that pfil hook for outbound packets is absent. Are you sure that your "pass out" rule are evaluated ? Under these conditions, pf can't run correctly in bridge mode. http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/thread.html#621 > > With regards to Sergey's original question; I have not > played with the web proxy on the bridge, however I have used the > ftp proxy module on my NAT- gateway machine with no problems. Maybe > using there would work better? -- Philippe PEGON