From owner-freebsd-pf@FreeBSD.ORG Sun May 8 18:09:57 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2706B106566C for ; Sun, 8 May 2011 18:09:57 +0000 (UTC) (envelope-from oguzyilmazlist@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id B1CE58FC08 for ; Sun, 8 May 2011 18:09:56 +0000 (UTC) Received: by wyf23 with SMTP id 23so4478369wyf.13 for ; Sun, 08 May 2011 11:09:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:from:date:message-id:subject:to :content-type; bh=/4Dqoi4O/aYtpqRVp3xMAd7SOr1CWfTQij6ltMksEHc=; b=iOOPDmT22SC09KccR+vy4mKlGS/JDwA+epOGy/PzXP7lAQDX1IFMELYt83ZfnvoMLt fUh2n1Oy7AstuMtn8ecQmhHOw3K5NFA8njNdUoJFo8787LkZyZlGkX57eIEa7jK4eV0m xPLJJVw5GEMBH9+ltMnACLd5XxzXhJ0cNGixw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=ByMKBhKNi9TW8KHEUq5b8KxHqrRowMniT8rygnZoudH1K+kMW4ia6lAbseHNXAiW5/ e9un6vI2lSxbIgfkGphD04nRKLlPMrToOuLSTS2qXEUkdeBlJARYZ+LucbGvbCu4Els7 3sR6hoS4gpkHZi6G5ZB+Yd7zHw8RVxzZHsocc= Received: by 10.216.221.32 with SMTP id q32mr1760574wep.77.1304876365140; Sun, 08 May 2011 10:39:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.44.144 with HTTP; Sun, 8 May 2011 10:39:05 -0700 (PDT) From: Oguz Yilmaz Date: Sun, 8 May 2011 20:39:05 +0300 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: =?windows-1252?q?using_=93include=94_like_statement_in_pf=2Econf?= =?windows-1252?q?_to_include_some_parts_from_other_files?= X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 18:09:57 -0000 Hi, I want to be able to include some parts of my pf.conf from other set of files. For example I will include "set timeout" vs like statements in another file. Using anchors and "load anchor from file" statements will not help because anchor can not hold such GLOBAL OPTIONS. In case I set those macros and set statement in a anchor it will be valid for the anchor or not valid at all (set statemenets). Regards, From owner-freebsd-pf@FreeBSD.ORG Sun May 8 19:45:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94747106564A for ; Sun, 8 May 2011 19:45:33 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 4AEC38FC13 for ; Sun, 8 May 2011 19:45:33 +0000 (UTC) Received: by iwn33 with SMTP id 33so5448597iwn.13 for ; Sun, 08 May 2011 12:45:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=n8ygdZWcHUOmPSTJBvQXj9C1XQKNVnQP8OuHG1ZmBU0=; b=Atcpp4fCRSpaq3KhSiuRzzyVA274jxbcHbRZHvzwRSBSrQyI0qRR0s8QNrTGI1WveO FpmupTUrwkA0y9CHEzjgGYra8wBYuK2lXnyY6KLyyV5EQt/rtNf39wkkI1bali9h0xGv 17dgLjUl9tbuoupTj6EOAsE5yJNP498F1u7rU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=sBO8wD7GCzPO3u4nI1L6i8CF/YRPCmblwfnt+2Dtbbc84RjmM509pruAangdtwh5ds vlF9awpRt3YYhwRNjD57LiPjwprfHULNDcYU+6VAM/U0f2edmI8uPPIp8dJywnzv6s7Y S+sxKrL+rCh9NzqGJHILPjnBnMFuac0GkXw/U= Received: by 10.42.164.65 with SMTP id f1mr5144198icy.499.1304883932709; Sun, 08 May 2011 12:45:32 -0700 (PDT) Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net [99.190.84.116]) by mx.google.com with ESMTPS id hc41sm2305410ibb.30.2011.05.08.12.45.31 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 08 May 2011 12:45:31 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p48JjSpu008158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 8 May 2011 15:45:29 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p48JjSIJ008157; Sun, 8 May 2011 15:45:28 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sun, 8 May 2011 15:45:28 -0400 From: Jason Hellenthal To: Oguz Yilmaz Message-ID: <20110508194527.GD3527@DataIX.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FkmkrVfFsRoUs1wW" Content-Disposition: inline In-Reply-To: X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: freebsd-pf@freebsd.org Subject: Re: using ?include? like statement in pf.conf to include some parts from other files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 19:45:33 -0000 --FkmkrVfFsRoUs1wW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Oguz, On Sun, May 08, 2011 at 08:39:05PM +0300, Oguz Yilmaz wrote: > Hi, >=20 > I want to be able to include some parts of my pf.conf from other set of f= iles. >=20 > For example I will include "set timeout" vs like statements in another fi= le. >=20 > Using anchors and "load anchor from file" statements will not help > because anchor can not hold such GLOBAL OPTIONS. In case I set those > macros and set statement in a anchor it will be valid for the anchor > or not valid at all (set statemenets). >=20 At this time as I know, this functionality is not available in pf41 that=20 is and has been a part of FreeBSD for quite some time and believe it still= =20 is a part of -CURRENT. There has been some work on getting pf up-to-date as of pf45 where there=20 is a patch that is available for -CURRENT only but I am not aware as if it= =20 supports the functionality you desire. If that is something you are interested in and know is a part of pf45,=20 then you are welcome to upgrade to -CURRENT and apply that patchset if=20 needs be to help test while achieving your objectives. Some of the work has been done here: http://svn.freebsd.org/base/user/eri/pf45/head/ And there are various other messages on the lists that you are welcome to= =20 search for if interested. Good Luck. --=20 Regards, (jhell) Jason Hellenthal --FkmkrVfFsRoUs1wW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNxvLXAAoJEJBXh4mJ2FR+hD0H/2UbzBPgUQ0GwaGsiC/zhucw P1howiO9v0hhskftbNHnggsuchP0FyW6zpjpm8Ku/krZkcohD2sBRXySn6YYpJcr QHBMlN+CsUKVYfxfD2JBOs3sJEaaozgzAsFZrLnZJ90w004Dtx5kOkznLlMrAo7j 2qd2ph4HQFaL1SRslBUrxvrzcPwVISDLcu1gw9Lz8uTedsb2+RweXnLRYTkKyTsD jsQW8vvrnmnfmhd73aAc2kiHL4359DGdSu2oRwzXEoY6+SgoVATJIlDra1jdumym Lg0Yo+KNNwOda+FQbNLqCosaIivYf+IZx4A0+SF6Vi+NBY2E/pfOv0drWusr73Q= =1rdv -----END PGP SIGNATURE----- --FkmkrVfFsRoUs1wW-- From owner-freebsd-pf@FreeBSD.ORG Sun May 8 21:53:04 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 562AB106566C for ; Sun, 8 May 2011 21:53:04 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id F32358FC08 for ; Sun, 8 May 2011 21:53:03 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id DBA9D25D388B; Sun, 8 May 2011 21:53:02 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 8F6D1159F14C; Sun, 8 May 2011 21:53:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 899+1ZUNjk+y; Sun, 8 May 2011 21:53:00 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 23A9A159EF99; Sun, 8 May 2011 21:52:59 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <20110508194527.GD3527@DataIX.net> Date: Sun, 8 May 2011 21:52:58 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20110508194527.GD3527@DataIX.net> To: Jason Hellenthal X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: using ?include? like statement in pf.conf to include some parts from other files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 21:53:04 -0000 On May 8, 2011, at 7:45 PM, Jason Hellenthal wrote: >=20 > Oguz, >=20 > On Sun, May 08, 2011 at 08:39:05PM +0300, Oguz Yilmaz wrote: >> Hi, >>=20 >> I want to be able to include some parts of my pf.conf from other set = of files. >>=20 >> For example I will include "set timeout" vs like statements in = another file. >>=20 >> Using anchors and "load anchor from file" statements will not help >> because anchor can not hold such GLOBAL OPTIONS. In case I set those >> macros and set statement in a anchor it will be valid for the anchor >> or not valid at all (set statemenets). >>=20 >=20 > At this time as I know, this functionality is not available in pf41 = that=20 > is and has been a part of FreeBSD for quite some time and believe it = still=20 > is a part of -CURRENT. >=20 > There has been some work on getting pf up-to-date as of pf45 where = there=20 > is a patch that is available for -CURRENT only but I am not aware as = if it=20 > supports the functionality you desire. >=20 > If that is something you are interested in and know is a part of pf45,=20= > then you are welcome to upgrade to -CURRENT and apply that patchset if=20= > needs be to help test while achieving your objectives. >=20 > Some of the work has been done here: > http://svn.freebsd.org/base/user/eri/pf45/head/ http://svnweb.freebsd.org/base/projects/pf/pf45/ I hope Ermal will post the final patch RSN and put it into HEAD = afterwards. >=20 > And there are various other messages on the lists that you are welcome = to=20 > search for if interested. >=20 >=20 > Good Luck. >=20 > --=20 >=20 > Regards, (jhell) > Jason Hellenthal >=20 --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Mon May 9 01:54:43 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F0EC1065672 for ; Mon, 9 May 2011 01:54:43 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 24FA68FC16 for ; Mon, 9 May 2011 01:54:42 +0000 (UTC) Received: by iyj12 with SMTP id 12so5668465iyj.13 for ; Sun, 08 May 2011 18:54:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=PuBjzWqTUtm8nn9yBHaKseEb3poLJzzqD8XBdAevt+s=; b=SMbnPltPnKu9dwJphMWH1C97mEZRr/LXQvRNBLCmAdJUvtW6AzwMeeV5R6pQaR2Oh8 pSmHtog76jvyAnJZDIA5yDGpjU+CTyTt1iY2tvM2x8JjittbRv5v07NNYKzaYFNltgeZ WGQSUho3dpo38AtfMzFdwTQ5EOqtQYglDHjOc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=m4mA+S8lBPer4oN4XLzzE4Mvh/TAhacmyP6Val8QP+vClfLO72iv2zjbNXNo88YZmp SnzcqL8HiJfu0s2CYbvcDvgSL1QhkZ/dcaMlorVdBAsa5Nfdjl8kQo1ZcKu+DfeZAxcp zd60vDE75VhFjs3QpbcXn+WRyogQjkMHUgbrU= Received: by 10.43.70.81 with SMTP id yf17mr5650077icb.464.1304906080534; Sun, 08 May 2011 18:54:40 -0700 (PDT) Received: from DataIX.net (adsl-99-190-84-116.dsl.klmzmi.sbcglobal.net [99.190.84.116]) by mx.google.com with ESMTPS id e12sm2216678ics.7.2011.05.08.18.54.38 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 08 May 2011 18:54:39 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p491sZZL023157 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 8 May 2011 21:54:35 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p491sUYT023156; Sun, 8 May 2011 21:54:30 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sun, 8 May 2011 21:54:30 -0400 From: Jason Hellenthal To: "Bjoern A. Zeeb" Message-ID: <20110509015430.GL3527@DataIX.net> References: <20110508194527.GD3527@DataIX.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/D3X8sky0X3AmG5" Content-Disposition: inline In-Reply-To: X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: freebsd-pf@freebsd.org Subject: Re: using ?include? like statement in pf.conf to include some parts from other files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 01:54:43 -0000 --W/D3X8sky0X3AmG5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Bjoern, On Sun, May 08, 2011 at 09:52:58PM +0000, Bjoern A. Zeeb wrote: > On May 8, 2011, at 7:45 PM, Jason Hellenthal wrote: >=20 > >=20 > > Oguz, > >=20 > > On Sun, May 08, 2011 at 08:39:05PM +0300, Oguz Yilmaz wrote: > >> Hi, > >>=20 > >> I want to be able to include some parts of my pf.conf from other set o= f files. > >>=20 > >> For example I will include "set timeout" vs like statements in another= file. > >>=20 > >> Using anchors and "load anchor from file" statements will not help > >> because anchor can not hold such GLOBAL OPTIONS. In case I set those > >> macros and set statement in a anchor it will be valid for the anchor > >> or not valid at all (set statemenets). > >>=20 > >=20 > > At this time as I know, this functionality is not available in pf41 tha= t=20 > > is and has been a part of FreeBSD for quite some time and believe it st= ill=20 > > is a part of -CURRENT. > >=20 > > There has been some work on getting pf up-to-date as of pf45 where ther= e=20 > > is a patch that is available for -CURRENT only but I am not aware as if= it=20 > > supports the functionality you desire. > >=20 > > If that is something you are interested in and know is a part of pf45,= =20 > > then you are welcome to upgrade to -CURRENT and apply that patchset if= =20 > > needs be to help test while achieving your objectives. > >=20 > > Some of the work has been done here: > > http://svn.freebsd.org/base/user/eri/pf45/head/ >=20 > http://svnweb.freebsd.org/base/projects/pf/pf45/ Thank you for the correction. Le~ Goog has failed me at this point ;) Do you know "off-hand" if this functionality is available in pf45 ? I=20 don't expect you to look it up as I know you have plenty of stuff on your= =20 plate but thought I would ask directly. >=20 > I hope Ermal will post the final patch RSN and put it into HEAD afterward= s. >=20 > >=20 > > And there are various other messages on the lists that you are welcome = to=20 > > search for if interested. > >=20 > >=20 > > Good Luck. > >=20 > --=20 Regards, (jhell) Jason Hellenthal --W/D3X8sky0X3AmG5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNx0lVAAoJEJBXh4mJ2FR+u8IH/0GbG4a5Ow2vxNd6eoAt+oGO F34265YGjpI2loYw7PqfClhFlBokbapPmwEvRJhKCF1Oe6KTGhxaYoic6+uofUwh pfGqhrxfArCQHJUa0fJZFMzWoVqhzE/HunTuNWaBrnr+mzdOJwthOrNKHmn9vm3e 7aNOskVwNH3bVGsZ1jEgduea3InKjrUYz8v+IZIN7IdvpH6KjYe7Hitw3RjbaDaa hQ/CiMCucmitkWpUoL6ByjI/73Ck+yStWAR5uv9VrvE/wBB96lVV8L67RrUK+CUv P7u2cebdTh/pWQLTBKEKxMOL6e8kUW8klJqbGFEmG00aQlxikyWXlffwpXDqw6o= =QicG -----END PGP SIGNATURE----- --W/D3X8sky0X3AmG5-- From owner-freebsd-pf@FreeBSD.ORG Mon May 9 03:51:44 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBD29106564A for ; Mon, 9 May 2011 03:51:44 +0000 (UTC) (envelope-from mlmichael70@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 819B18FC08 for ; Mon, 9 May 2011 03:51:44 +0000 (UTC) Received: by wwc33 with SMTP id 33so4917349wwc.31 for ; Sun, 08 May 2011 20:51:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=8yFuoDZmyO5RlK3GlZbDGIC3D+VfR+fOkSdUsYHwe1Q=; b=D5VS11okeAXn5s4ArPRPlCVk7VOHBO9Bcht0iXbb7KXbOAyC77RsMi5I8bBOjngSa7 O+v++7krPA2gyQX7KYa/Cak1Eb+f1l4YBDSVrA6A4NHfoTEOStI+t1X8oSz6QXcuVo59 GJyanjCd36XvnoIeknN3PVuyehou4sLS7GlvM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=v45uZD2EzQ6INn9mJp0wKJtk0Ahbji/yWQsvvOoOGBgWyc54/YJkzkwXq31h7RzwSw Sax6dcPRyMqGaVrdw4+36QRiYj/vxnMdADlKzc5XAs52XJxkwPWh0mGc1p4lbhIxhkEh +9kaVs6QJkUkxitvYQ3bKPUuW2XoE2UVOtGzg= Received: by 10.216.246.74 with SMTP id p52mr2179558wer.41.1304911521277; Sun, 08 May 2011 20:25:21 -0700 (PDT) Received: from prime.nonspace ([217.171.129.80]) by mx.google.com with ESMTPS id o6sm3478846wbo.3.2011.05.08.20.25.19 (version=SSLv3 cipher=OTHER); Sun, 08 May 2011 20:25:20 -0700 (PDT) Message-ID: <4DC75E9D.7010806@gmail.com> Date: Mon, 09 May 2011 04:25:17 +0100 From: Michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.17) Gecko/20110506 Thunderbird/3.1.10 MIME-Version: 1.0 To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: is pf open by dafault? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 03:51:45 -0000 Hello, Is pf in FreeBSD 8.2-R open by default? So that it is NATing and allows anything when it fails to load user provided rules? Michael From owner-freebsd-pf@FreeBSD.ORG Mon May 9 07:08:29 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1780D1065670 for ; Mon, 9 May 2011 07:08:29 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id AAC398FC1C for ; Mon, 9 May 2011 07:08:28 +0000 (UTC) Received: by wwc33 with SMTP id 33so5013529wwc.31 for ; Mon, 09 May 2011 00:08:27 -0700 (PDT) Received: by 10.227.28.129 with SMTP id m1mr4825458wbc.20.1304923161076; Sun, 08 May 2011 23:39:21 -0700 (PDT) Received: from [192.168.0.11] (did75-17-88-165-130-96.fbx.proxad.net [88.165.130.96]) by mx.google.com with ESMTPS id z9sm3545462wbx.0.2011.05.08.23.39.07 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 08 May 2011 23:39:07 -0700 (PDT) References: <4DC75E9D.7010806@gmail.com> In-Reply-To: <4DC75E9D.7010806@gmail.com> Mime-Version: 1.0 (iPhone Mail 8A293) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: X-Mailer: iPhone Mail (8A293) From: Damien Fleuriot Date: Mon, 9 May 2011 08:38:58 +0200 To: Michael Cc: "freebsd-pf@freebsd.org" Subject: Re: is pf open by dafault? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 07:08:29 -0000 On 9 May 2011, at 05:25, Michael wrote: > Hello, >=20 > Is pf in FreeBSD 8.2-R open by default? So that it is NATing and allows an= ything when it fails to load user provided rules? >=20 > Michael > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" It is indeed open by default but it won't nat anything, because you won't ha= ve any nat rules loaded.= From owner-freebsd-pf@FreeBSD.ORG Mon May 9 11:07:11 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B06231065672 for ; Mon, 9 May 2011 11:07:11 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 952538FC1E for ; Mon, 9 May 2011 11:07:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p49B7BSK070701 for ; Mon, 9 May 2011 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p49B7AoK070699 for freebsd-pf@FreeBSD.org; Mon, 9 May 2011 11:07:11 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 May 2011 11:07:11 GMT Message-Id: <201105091107.p49B7AoK070699@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 11:07:11 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue May 10 05:43:55 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E142106566B for ; Tue, 10 May 2011 05:43:55 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with ESMTP id 3BEB88FC13 for ; Tue, 10 May 2011 05:43:54 +0000 (UTC) Received: (qmail 32387 invoked by uid 89); 10 May 2011 05:17:12 -0000 Received: from localhost (HELO pop.pknet.net) (127.0.0.1) by poshta.pknet.net with ESMTP; 10 May 2011 05:17:12 -0000 Received: from 216.241.170.11 (SquirrelMail authenticated user fbsdq@peterk.org) by pop.pknet.net with HTTP; Mon, 9 May 2011 23:17:12 -0600 Message-ID: <1dabd775786801bbbd7ac95b100605f9.squirrel@pop.pknet.net> In-Reply-To: References: Date: Mon, 9 May 2011 23:17:12 -0600 From: "Peter" To: "Oguz Yilmaz" User-Agent: SquirrelMail/1.4.21 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: using =?iso-8859-1?q?=93include=94_like_statement_in_pf=2Econ?= =?iso-8859-1?q?f_to_include_some_pa?= rts from other files X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 05:43:55 -0000 > Hi, > > I want to be able to include some parts of my pf.conf from other set of > files. > > For example I will include "set timeout" vs like statements in another > file. > > Using anchors and "load anchor from file" statements will not help > because anchor can not hold such GLOBAL OPTIONS. In case I set those > macros and set statement in a anchor it will be valid for the anchor > or not valid at all (set statemenets). > Dirty workaround I've used is to build pf.conf from many smaller files. Using the ipfw numbering style you can get away with having: 000.pf.macros.inc 010.pf.tables.inc 020.pf.options.inc etc.etc. 100.pf.jail1.inc 110.pf.jail2.inc Of course they were named appropriately like global/hostA/hostB and then a simple ":> /etc/pf.conf ;for i in `ls /nfs/pf/$hostname/*inc`; cat $i >> /etc/pf.conf;done" This made updating many hosts "common" parts go pretty fast and broke it up into individual parts - heck even give some friends the ability to manage their parts of the rules [jails]. ]Peter[ From owner-freebsd-pf@FreeBSD.ORG Tue May 10 17:13:12 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C10DF1065673 for ; Tue, 10 May 2011 17:13:11 +0000 (UTC) (envelope-from nicolas.greneche@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 83E7B8FC1A for ; Tue, 10 May 2011 17:13:11 +0000 (UTC) Received: by yxl31 with SMTP id 31so2772324yxl.13 for ; Tue, 10 May 2011 10:13:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=/wlgixHMQWlT3NXekVBErRfcrKdPM3ihjhD4Ga9GeRM=; b=EErSCZWmv8KhmZ+XGCS8kXWOUo1fMDQQCDXGbG+Geyd0DBC0U3CVlzYWeRXM5WY5+W u+xTGba8AV6FtGba+yOcQSEGoQcRym+YW9xlgQI9i6nHoO64Ccv4SWqGo4Btq7NsC+7r bhB8ZZFH/lAWQwwbr2mLay4MOGIFCTVSq6boU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=p1TRLYMX6mmmfZa4GpfWvBoduSKZr5h8XBMo4j2z3IlpJkg/VlbWA1fKQuBJ55cez9 fNd4TL73ozXEWTprJjzc92gF64bopgsbRk8SRLpV0k7tGRlPSnw2DhrTAOf3cwNqq5dK yzMWZHRfrRQDuB5HK62FQWY70lJvHrB59BLzU= MIME-Version: 1.0 Received: by 10.91.67.1 with SMTP id u1mr7003637agk.191.1305045909013; Tue, 10 May 2011 09:45:09 -0700 (PDT) Received: by 10.90.84.7 with HTTP; Tue, 10 May 2011 09:45:08 -0700 (PDT) Date: Tue, 10 May 2011 18:45:08 +0200 Message-ID: From: Nicolas GRENECHE To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Filtering on a sensor dedicated interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 17:13:12 -0000 Hi, We are currently experimenting a way of capturing packets of supposed compromised hosts with PF. So my question may seem to be a bit odd. I have two interfaces em0 and em1 connected to a network TAP. Running tcpdump on each show me dumped packets, no problems. Those two interfaces are configured like this in rc.conf : ifconfig_em0="promisc -arp up" ifconfig_em1="promisc -arp up" Loading rules : sondedi# pfctl -f /etc/pf.conf.local No ALTQ support in kernel ALTQ related functions disabled Showing rules : sondedi# pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled pass log on em0 inet from any to X.X.X.X no state pass log on em1 inet from any to X.X.X.X no state Now if i try to ssh to X.X.X.X, the pflog interface say nothing : sondedi# tcpdump -netti pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes Rule doesn't seem to be matched. But a tcpdump tells everything : sondedi# tcpdump -netti em0 dst port 22 and dst host X.X.X.X tcpdump: WARNING: em0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes SOME PACKETS ... Regarding tcpdump, packets seems to go through the interface. Why does pf doesn't see them ? Regards, From owner-freebsd-pf@FreeBSD.ORG Tue May 10 17:38:53 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CE951065675 for ; Tue, 10 May 2011 17:38:53 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id F25D38FC0A for ; Tue, 10 May 2011 17:38:52 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p4AHcrIv010909 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 10 May 2011 19:38:53 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p4AHcrUk019275; Tue, 10 May 2011 19:38:53 +0200 (MEST) Date: Tue, 10 May 2011 19:38:53 +0200 From: Daniel Hartmeier To: Nicolas GRENECHE Message-ID: <20110510173853.GA17049@insomnia.benzedrine.cx> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Filtering on a sensor dedicated interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 17:38:53 -0000 On Tue, May 10, 2011 at 06:45:08PM +0200, Nicolas GRENECHE wrote: > Regarding tcpdump, packets seems to go through the interface. Why does > pf doesn't see them ? The destination MAC addresses of the ethernet frames do not match the firewall's. By putting the interfaces into promiscuous mode, the frames are copied to BPF readers (like tcpdump), but the host then ignores the frame. Since the host is neither the recipient nor bridging, there is no reason to pf filter the packet, as the frame will be dropped anyway. I guess you could add the interfaces to bridges or some such construct, to get pf filtering involved. It depends on WHY you want pf to filter something you don't want to forward, i.e. what would be the purpose of the packet showing up on pflog. Daniel From owner-freebsd-pf@FreeBSD.ORG Tue May 10 21:49:35 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB656106566B for ; Tue, 10 May 2011 21:49:35 +0000 (UTC) (envelope-from nicolas.greneche@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 89EEC8FC08 for ; Tue, 10 May 2011 21:49:35 +0000 (UTC) Received: by gxk28 with SMTP id 28so2905425gxk.13 for ; Tue, 10 May 2011 14:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=zcsZWZWxYhqYyYYI4zol9gaNYqauFnYgVAwiYs0rcag=; b=OO2xMNy7+3D+qhdSZEHkiArtNMeKYBKwTIRkxroVDGesOeTqKcTDTHUBzXMv415Ksy vDsIAFzve3OSQ/2Od/aB/LZhiHY+sFgIbpXhdcA2u6b7Cw5eF6RMLY6qD8Hfyey4xiLZ L/aG8trnaAB7Hf92bQNbevArv6GuCbGGqruYc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=kjZ8qX6ApIDDh2tmeFvGrB7XW1Mmz9ojrXlTxaQ/Akz6KIV89nE9HlH3wHiiYdn534 HHICemLniOe7uFFdtBs4TNTRyCxZ4O+HbJ+eG2odtbHYv4QGcSIj2lKLsONoprDFrxNw I1a/wGL9rNmiYJjRoLGup4FrE9LcaBsbkIfUc= MIME-Version: 1.0 Received: by 10.90.248.28 with SMTP id v28mr7092548agh.137.1305064174864; Tue, 10 May 2011 14:49:34 -0700 (PDT) Received: by 10.90.84.7 with HTTP; Tue, 10 May 2011 14:49:34 -0700 (PDT) In-Reply-To: <20110510173853.GA17049@insomnia.benzedrine.cx> References: <20110510173853.GA17049@insomnia.benzedrine.cx> Date: Tue, 10 May 2011 23:49:34 +0200 Message-ID: From: Nicolas GRENECHE To: Daniel Hartmeier Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Filtering on a sensor dedicated interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 21:49:35 -0000 2011/5/10 Daniel Hartmeier : > On Tue, May 10, 2011 at 06:45:08PM +0200, Nicolas GRENECHE wrote: > >> Regarding tcpdump, packets seems to go through the interface. Why does >> pf doesn't see them ? > > The destination MAC addresses of the ethernet frames do not match the > firewall's. > > By putting the interfaces into promiscuous mode, the frames are copied > to BPF readers (like tcpdump), but the host then ignores the frame. > Since the host is neither the recipient nor bridging, there is no reason > to pf filter the packet, as the frame will be dropped anyway. > > I guess you could add the interfaces to bridges or some such construct, > to get pf filtering involved. It depends on WHY you want pf to filter > something you don't want to forward, i.e. what would be the purpose of > the packet showing up on pflog. > > Daniel > Thanks a lot Daniel you put me on the right way ! The reason was that I set up the bridge with "monitoring" option which only let bpf readers aquire network and drop packet. Now It works perfectly. Regards,