Date: Sun, 17 Jun 2007 00:15:20 +0200 From: Volker <volker@vwsoft.com> To: Adam McDougall <mcdouga9@egr.msu.edu> Cc: freebsd-pf@freebsd.org Subject: filtering bridges [was: PF error message looping on screen] Message-ID: <467460F8.6030905@vwsoft.com> In-Reply-To: <20070616192952.GB87503@egr.msu.edu> References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> <200706160826.16372.rmiranda@digitalrelay.ca> <4673FFC7.2030904@vwsoft.com> <20070616192952.GB87503@egr.msu.edu>
index | next in thread | previous in thread | raw e-mail
On 06/16/07 21:29, Adam McDougall wrote: > On Sat, Jun 16, 2007 at 05:20:39PM +0200, Volker wrote: ... > If that doesn't help, I recommend rewriting your rules a bit and use > 'set state-policy if-bound' (which I'm using most as I find it better > to administer). Unfortunately I don't have experience with > state-policy if-bound in a bridged environment (just a little warning). > > I was thinking the same thing regarding if-bound. I use if-bound in production > on a pf bridge and found it avoids lots of loose state match and other state > confusion. Also, I have found using pf loud debugging tends to deadlock the > console after not too long if I have more than one cpu enabled, so I avoid > using it in production. After much testing, I feel comfortable without it, > however interesting it is. Adam, good to know, someone else will re-check my writings! ;) A couple of days ago I was writing something totally stupid but nobody complained (conclusion: I will avoid posting to mailing lists when my uptime is -gt 24h). Thanks for your hint. I wasn't quite sure if if-bound works on bridges as I don't have much bridge experiences. On a bridge, does it make sense to filter on bridge0 or is it generally better to filter on it's member interfaces? Using a quick google search, I found some problems when filtering on the bridge interface in the past but if I would be in need of setting up a bridge, it would be the first thing for me to filter on the bridge interface and not on the member interfaces. What's the big reason for either? Thanks Volkerhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?467460F8.6030905>