Date: Thu, 31 Oct 2024 16:32:37 +0100 From: Palle Girgensohn <girgen@FreeBSD.org> To: "Patrick M. Hausen" <hausen@punkt.de> Cc: "freebsd-net@freebsd.org" <freebsd-net@FreeBSD.org> Subject: Re: pf for netgraph jails? Message-ID: <B3F69BC8-9750-484A-985C-583AB9FC4357@FreeBSD.org> In-Reply-To: <16E8EF1D-9CB0-4158-B0A4-FB4F91A03D2C@punkt.de> References: <7D5BD9CC-8A08-4C74-B2E6-E0437235F3B1@FreeBSD.org> <16E8EF1D-9CB0-4158-B0A4-FB4F91A03D2C@punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> 16 okt. 2024 kl. 18:17 skrev Patrick M. Hausen <hausen@punkt.de>: >=20 > Hi! >=20 >> Am 16.10.2024 um 16:19 schrieb Palle Girgensohn <girgen@FreeBSD.org>: >> [...] >> but nothing happens, everything is passed directly into the jail: >>=20 >> nc -l 4444 (inside the jail) >>=20 >> and I can just telnet 1.2.3.4 4444 >=20 > Try: >=20 > sysctl net.link.bridge.pfil_member=3D0 > sysctl net.link.bridge.pfil_bridge=3D1 >=20 > Although I do not know if this ablies to netgraph or to if_bridge(4) = only. >=20 > But obviously your rules are not applied to the bridge interface. The = default > of the tunables above is the other way round - don't filter on bridge = interfaces. >=20 > HTH, > Patrick Hallo Patrick, Thanks for the reply. It seems that these MIBs are related to if_bridge, = not ng_bridge? I didn't have them at first, men after kldload if_bridge = they appeared. They make no difference, though, so perhaps they do not = relate to netgraph bridges? Any idea what tuneables would do the job? Thanks, Palle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B3F69BC8-9750-484A-985C-583AB9FC4357>