From owner-freebsd-pf@FreeBSD.ORG Tue Dec 6 17:54:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA10E16A420 for ; Tue, 6 Dec 2005 17:54:39 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9560343D49 for ; Tue, 6 Dec 2005 17:54:38 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 14144 invoked by uid 89); 6 Dec 2005 17:54:37 -0000 Received: by simscan 1.1.0 ppid: 14137, pid: 14139, t: 2.5806s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 6 Dec 2005 17:54:35 -0000 Message-ID: <4395D05B.2070709@wombatsweb.com> Date: Tue, 06 Dec 2005 12:54:35 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <43904815.4070805@wombatsweb.com> <43908AB1.7030107@freebsd.org> <43909B86.4050308@wombatsweb.com> <43909F53.4010905@freebsd.org> <4390C868.5010705@wombatsweb.com> <4390EEBE.5090206@freebsd.org> <43918534.7070001@wombatsweb.com> <439256D9.9070201@freebsd.org> In-Reply-To: <439256D9.9070201@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, HOT_NASTY autolearn=ham version=3.0.2 Subject: Re: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2005 17:54:39 -0000 Bruce A. Mah on 12/03/2005 9:39 PM wrote: >>I stuffed those CAT5 puppies into the NICs for about 5 minutes maybe ... >>Got 4100 lines of blocks from the two interfaces ... (They were all >>"block in" btw) ... Here I thought there wasn't that much traffic at >>this time of the AM ... Now will compose a ruleset before I start using >>it again ... >> >pflog(4) is quite useful. I used it a lot while trying to figure out my >own firewall rules. I came from a m0n0wall setup where I didn't really >write or understand the firewall rules, and before that I was doing >ipfw. So this was helpful to figure out how PF rules worked (or >sometimes didn't). > > >>Thanks ever so much! I popped your name in the HOW-TO I am creating @ >>http://test.davidpierron.com/fbsd-pf.php >> >> >Aw shucks.....I'm just glad to have been of some help to someone else. >(Neat writeup BTW...I want to look into pftop in my Copious Spare Time >(TM).) > Couple questions re: if_bridge ... Regardless of the order: block out log on $ext_if all block in log on $ext_if all I see blocks only coming "in" ... 042341 rule 4/0(match): block in on fxp0: xxx.xxx.xxx.xxx.32912 > my.c.class.xxx.53: 59540 A? www.foo.org. (37) It seems to me that the only direction available on the interfaces of the bridge is "in" ... Is this true? If this is the case, does this mean that ALTQ is unavailable using if_bridge since I've read that ALTQ can only be used on the "out" of an interface?