From owner-freebsd-net@FreeBSD.ORG Wed Jun 23 07:59:52 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20AC1106566B for ; Wed, 23 Jun 2010 07:59:52 +0000 (UTC) (envelope-from gerrit@pmp.uni-hannover.de) Received: from mrelay1.uni-hannover.de (mrelay1.uni-hannover.de [130.75.2.106]) by mx1.freebsd.org (Postfix) with ESMTP id A3E618FC14 for ; Wed, 23 Jun 2010 07:59:51 +0000 (UTC) Received: from www.pmp.uni-hannover.de (www.pmp.uni-hannover.de [130.75.117.2]) by mrelay1.uni-hannover.de (8.14.4/8.14.4) with ESMTP id o5N7d8hR022259 for ; Wed, 23 Jun 2010 09:39:09 +0200 Received: from pmp.uni-hannover.de (arc.pmp.uni-hannover.de [130.75.117.1]) by www.pmp.uni-hannover.de (Postfix) with SMTP id 504BD5A for ; Wed, 23 Jun 2010 09:39:08 +0200 (CEST) Date: Wed, 23 Jun 2010 09:39:08 +0200 From: Gerrit =?ISO-8859-1?Q?K=FChn?= To: freebsd-net@freebsd.org Message-Id: <20100623093908.e73f5327.gerrit@pmp.uni-hannover.de> Organization: Albert-Einstein-Institut (MPI =?ISO-8859-1?Q?f=FCr?= Gravitationsphysik & IGP =?ISO-8859-1?Q?Universit=E4t?= Hannover) X-Mailer: Sylpheed 2.7.1 (GTK+ 2.18.4; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-PMX-Version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2010.6.23.73015 Subject: firewalling broadcast and multicast packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 07:59:52 -0000 Hi all, I just tried to block multicast and broadcast packets on a transparent bridge with pf by filtering on one of the physical interfaces like this: table persist {10.117.255.255/32} netbios = "netbios-ns, netbios-dgm, netbios-ssn, mdns, ipp" block quick on $ext_if proto ipv6 block quick on $ext_if proto udp from any port { $netbios } block quick on $ext_if proto udp to any port { $netbios } block quick on $ext_if inet from any to However, the packets are still passing the bridge as can be seen with tcpdump on the internal interface: 09:36:39.167995 IP newprintserver.fqdn-omitted.ipp > 10.117.255.255.ipp: UDP, length 94 Kernel settings are like this: net.link.bridge.ipfw: 0 net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 1 I am using a recent 8.1-prerelease. Before I start putting more time in solving this problem I just wanted to ask here if this is supposed to work at all, or if I am doing something terribly wrong from the beginning on. cu Gerrit