From owner-freebsd-pf@FreeBSD.ORG Sun Apr 20 19:35:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9929F1065676 for ; Sun, 20 Apr 2008 19:35:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 32FA08FC16 for ; Sun, 20 Apr 2008 19:35:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-003-174.pools.arcor-ip.net [88.66.3.174]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1JnfK21tap-0001ST; Sun, 20 Apr 2008 21:35:34 +0200 Received: (qmail 73158 invoked from network); 20 Apr 2008 19:34:20 -0000 Received: from myhost.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 20 Apr 2008 19:34:20 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Sun, 20 Apr 2008 21:31:58 +0200 User-Agent: KMail/1.9.9 References: <4807E452.4090304@jcornwall.me.uk> <48090340.50200@jcornwall.me.uk> In-Reply-To: <48090340.50200@jcornwall.me.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804202131.58491.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+Dmm8aAbCwy1urAJKTVPZufnmHEJPyqcK+wl7 evJZRsgQVhr3376OUVnVyEkBnHFDlMOPHyDLNMPZfuax3fBQgd Iow6MSRom/VFECuIh4Y6w== Cc: Subject: Re: PF + if_bridge + NAT anomaly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2008 19:35:36 -0000 On Friday 18 April 2008 22:23:28 Jay L. T. Cornwall wrote: > Jay L. T. Cornwall wrote: > > Even without 'block out all', the simple presence of: > > pass out quick on $bridge_if > > > > Causes NAT to stop. tcpdump on vr1 shows that packets with private > > IPs are passing to the WAN (and being filtered upstream). What is > > causing NAT to stop functioning by the presence of a loose rule? Does > > the default 'pass all' have additional flags necessary for NAT to > > function correctly? > > OK, I've solved this. Kind of. > > By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default > 1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on > bridge0 is still required even though if_bridge(4) would suggest > otherwise: > > net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge > interface, set to 0 to disable it. > > OK, whatever. :) fintering on a bridge is a bit tricky. I think what happend in your scenario is that a state was created for the flow on *IN* bridge0 which would then prevent NAT from happening. Would you be up to share your complete working setup for future reference? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News