Date: Wed, 23 Jun 2010 09:39:08 +0200 From: Gerrit =?ISO-8859-1?Q?K=FChn?= <gerrit@pmp.uni-hannover.de> To: freebsd-net@freebsd.org Subject: firewalling broadcast and multicast packets Message-ID: <20100623093908.e73f5327.gerrit@pmp.uni-hannover.de>
next in thread | raw e-mail | index | archive | help
Hi all, I just tried to block multicast and broadcast packets on a transparent bridge with pf by filtering on one of the physical interfaces like this: table <no_route> persist {10.117.255.255/32} netbios = "netbios-ns, netbios-dgm, netbios-ssn, mdns, ipp" block quick on $ext_if proto ipv6 block quick on $ext_if proto udp from any port { $netbios } block quick on $ext_if proto udp to any port { $netbios } block quick on $ext_if inet from any to <no_route> However, the packets are still passing the bridge as can be seen with tcpdump on the internal interface: 09:36:39.167995 IP newprintserver.fqdn-omitted.ipp > 10.117.255.255.ipp: UDP, length 94 Kernel settings are like this: net.link.bridge.ipfw: 0 net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 1 I am using a recent 8.1-prerelease. Before I start putting more time in solving this problem I just wanted to ask here if this is supposed to work at all, or if I am doing something terribly wrong from the beginning on. cu Gerrit
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100623093908.e73f5327.gerrit>