Date: Wed, 16 Oct 2024 16:17:22 +0000 From: "Patrick M. Hausen" <hausen@punkt.de> To: Palle Girgensohn <girgen@FreeBSD.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@FreeBSD.org> Subject: Re: pf for netgraph jails? Message-ID: <16E8EF1D-9CB0-4158-B0A4-FB4F91A03D2C@punkt.de> In-Reply-To: <7D5BD9CC-8A08-4C74-B2E6-E0437235F3B1@FreeBSD.org> References: <7D5BD9CC-8A08-4C74-B2E6-E0437235F3B1@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
Hi! > Am 16.10.2024 um 16:19 schrieb Palle Girgensohn <girgen@FreeBSD.org>: > [...] > but nothing happens, everything is passed directly into the jail: > > nc -l 4444 (inside the jail) > > and I can just telnet 1.2.3.4 4444 Try: sysctl net.link.bridge.pfil_member=0 sysctl net.link.bridge.pfil_bridge=1 Although I do not know if this ablies to netgraph or to if_bridge(4) only. But obviously your rules are not applied to the bridge interface. The default of the tunables above is the other way round - don't filter on bridge interfaces. HTH, Patrick -- punkt.de GmbH Patrick M. Hausen .infrastructure Sophienstr. 187 76185 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de info@punkt.de AG Mannheim 108285 Geschäftsführer: Daniel Lienert, Fabian Steinhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16E8EF1D-9CB0-4158-B0A4-FB4F91A03D2C>