Date: Sat, 4 Dec 2004 18:43:17 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Max Laier <max@love2party.net> Cc: freebsd-net@freebsd.org Subject: ipfw and bridging [was: pf and bridging] Message-ID: <Pine.BSF.3.96.1041204183127.2388B-100000@gaia.nimnet.asn.au> In-Reply-To: <200412031548.02444.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Dec 2004, Max Laier wrote: > On Thursday 02 December 2004 19:45, Petr Holub wrote: > > Hi all, > > > > I wonder if it is possible to use the new pf firewall together with > > bridging as it is possible to use it with ipf and ipfw. > > Unfortunately the PFIL_HOOKS in bridge.c don't work too well for pf (or ipf > for the same reason) thus you cannot use stateful filtering. There is an > ongoing discussion on freebsd-pf@ that talks about the details: > http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000621.html > http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000625.html > http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000631.html Read those ones for interest, but it leaves me wondering: can you use stateful filtering in ipfw, then? (here ipfw1 on a 4.8-RELEASE box with BRIDGE in kernel so far, but I imagine this would apply also to ipfw2?) I'm aware that one can only filter incoming packets, so I've always wondered whether stateful rules made any sense in a bridge context? (showing off my complete ignorance of the ipfw stateful code) Cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1041204183127.2388B-100000>