From owner-freebsd-pf@FreeBSD.ORG Sat Dec 17 15:20:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F95C16A41F for ; Sat, 17 Dec 2005 15:20:22 +0000 (GMT) (envelope-from yamamoto436@oki.com) Received: from iscan1.intra.oki.co.jp (okigate.oki.co.jp [202.226.91.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF43743D5C for ; Sat, 17 Dec 2005 15:20:16 +0000 (GMT) (envelope-from yamamoto436@oki.com) Received: from aoi.bmc.oki.co.jp (localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id AAA18844 for ; Sun, 18 Dec 2005 00:20:14 +0900 Received: (qmail 26574 invoked from network); 18 Dec 2005 00:20:14 +0900 Received: from tulip.bmc.oki.co.jp (172.19.236.119) by aoi.bmc.oki.co.jp with SMTP; 18 Dec 2005 00:20:14 +0900 Received: from localhost (tulip.bmc.oki.co.jp [172.19.236.119]) by tulip.bmc.oki.co.jp (8.13.4/8.13.3) with ESMTP id jBHFKDP0033316; Sun, 18 Dec 2005 00:20:13 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Sun, 18 Dec 2005 00:20:12 +0900 (JST) Message-Id: <20051218.002012.74721675.yamamoto436@oki.com> To: thompsa@freebsd.org From: Hideki Yamamoto In-Reply-To: <20051213195624.GA5248@heff.fud.org.nz> References: <20051213170450.3CD41193631@mail.nl-hrln-ptgrf.net> <20051213195624.GA5248@heff.fud.org.nz> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: michiel@nl-hrln-ptgrf.net, freebsd-pf@freebsd.org Subject: Re: Possible bug in PF with if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Dec 2005 15:20:22 -0000 Hi, I am also struggling with pf with if_bridge for RTP on ipv6. I have found a pointer of pf+bridge by searching google. That is http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000762.html. I have not tried it yet. I hope you will respond your result to share the experience. Best regards, Hideki Yamamoto From: Andrew Thompson Subject: Re: Possible bug in PF with if_bridge Date: Wed, 14 Dec 2005 08:56:24 +1300 Message-ID: <20051213195624.GA5248@heff.fud.org.nz> > On Tue, Dec 13, 2005 at 06:07:46PM +0100, Michiel Kranenburg wrote: > > Hello all, > > > > > > I may have found a bug in PF (in combination with if_bridge) for > > FreeBSD6.0-RELEASE. > > > > > > The weird thing occurs when using PF to filter the bridge. > > Let me post my pf.conf first: (I did not post the declaration of variables > > on top of the conf) > > > > --------------------------------------------- > > scrub in all > > > > block in log on bridge0 from any to $mynet > > block return-rst in log on bridge0 proto tcp from any to $mynet > > > > pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state > > pass out on bridge0 proto {tcp,udp} from $mynet to any keep state > > > > pass on lo0 all > [...] > > > > Now comes the strange part: > > > > Behind $web and $mail are running SSH-servers. As defined by the rules, I > > don't want to allow any connection from the outside to the SSH-servers. > > BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and > > some _dont_ (as it supposed to be). > > You should probably be filtering on the member interfaces rather than > bridge0 if you are doing keep-state. > > bridge0 has no direction so packets travelling in one direction look the > same a the reverse path, this may be tripping up with stateful rules. > > Can you try changing your pf rules to filter on xl1 and xl2 and see if > you get the same behaviour. > > > p.s 6.0-RELEASE has a mbuf leak with if_bridge(4)+pfil(9), you may want > to go to RELENG_6 > > > cheers, > Andrew > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"