Date: Thu, 31 Oct 2024 16:32:37 +0100 From: Palle Girgensohn <girgen@FreeBSD.org> To: "Patrick M. Hausen" <hausen@punkt.de> Cc: "freebsd-net@freebsd.org" <freebsd-net@FreeBSD.org> Subject: Re: pf for netgraph jails? Message-ID: <B3F69BC8-9750-484A-985C-583AB9FC4357@FreeBSD.org> In-Reply-To: <16E8EF1D-9CB0-4158-B0A4-FB4F91A03D2C@punkt.de> References: <7D5BD9CC-8A08-4C74-B2E6-E0437235F3B1@FreeBSD.org> <16E8EF1D-9CB0-4158-B0A4-FB4F91A03D2C@punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> 16 okt. 2024 kl. 18:17 skrev Patrick M. Hausen <hausen@punkt.de>: > > Hi! > >> Am 16.10.2024 um 16:19 schrieb Palle Girgensohn <girgen@FreeBSD.org>: >> [...] >> but nothing happens, everything is passed directly into the jail: >> >> nc -l 4444 (inside the jail) >> >> and I can just telnet 1.2.3.4 4444 > > Try: > > sysctl net.link.bridge.pfil_member=0 > sysctl net.link.bridge.pfil_bridge=1 > > Although I do not know if this ablies to netgraph or to if_bridge(4) only. > > But obviously your rules are not applied to the bridge interface. The default > of the tunables above is the other way round - don't filter on bridge interfaces. > > HTH, > Patrick Hallo Patrick, Thanks for the reply. It seems that these MIBs are related to if_bridge, not ng_bridge? I didn't have them at first, men after kldload if_bridge they appeared. They make no difference, though, so perhaps they do not relate to netgraph bridges? Any idea what tuneables would do the job? Thanks, Palle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B3F69BC8-9750-484A-985C-583AB9FC4357>