From owner-freebsd-pf@FreeBSD.ORG Sat Jun 16 22:16:25 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B95C16A400 for ; Sat, 16 Jun 2007 22:16:25 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id D901E13C45E for ; Sat, 16 Jun 2007 22:16:24 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7c94.q.ppp-pool.de [89.53.124.148]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id A6966128844; Sun, 17 Jun 2007 00:16:17 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 76E163F51A; Sun, 17 Jun 2007 00:15:15 +0200 (CEST) Message-ID: <467460F8.6030905@vwsoft.com> Date: Sun, 17 Jun 2007 00:15:20 +0200 From: Volker User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: Adam McDougall References: <200706140833.50583.rmiranda@digitalrelay.ca> <200706140921.53115.rmiranda@digitalrelay.ca> <46715C7F.4060602@vwsoft.com> <200706160826.16372.rmiranda@digitalrelay.ca> <4673FFC7.2030904@vwsoft.com> <20070616192952.GB87503@egr.msu.edu> In-Reply-To: <20070616192952.GB87503@egr.msu.edu> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: filtering bridges [was: PF error message looping on screen] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 22:16:25 -0000 On 06/16/07 21:29, Adam McDougall wrote: > On Sat, Jun 16, 2007 at 05:20:39PM +0200, Volker wrote: ... > If that doesn't help, I recommend rewriting your rules a bit and use > 'set state-policy if-bound' (which I'm using most as I find it better > to administer). Unfortunately I don't have experience with > state-policy if-bound in a bridged environment (just a little warning). > > I was thinking the same thing regarding if-bound. I use if-bound in production > on a pf bridge and found it avoids lots of loose state match and other state > confusion. Also, I have found using pf loud debugging tends to deadlock the > console after not too long if I have more than one cpu enabled, so I avoid > using it in production. After much testing, I feel comfortable without it, > however interesting it is. Adam, good to know, someone else will re-check my writings! ;) A couple of days ago I was writing something totally stupid but nobody complained (conclusion: I will avoid posting to mailing lists when my uptime is -gt 24h). Thanks for your hint. I wasn't quite sure if if-bound works on bridges as I don't have much bridge experiences. On a bridge, does it make sense to filter on bridge0 or is it generally better to filter on it's member interfaces? Using a quick google search, I found some problems when filtering on the bridge interface in the past but if I would be in need of setting up a bridge, it would be the first thing for me to filter on the bridge interface and not on the member interfaces. What's the big reason for either? Thanks Volker