Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 31 Oct 2024 22:19:09 +0300
From:      Aleksandr Fedorov <wigneddoom@yandex.ru>
To:        Palle Girgensohn <girgen@freebsd.org>, Patrick M. Hausen <hausen@punkt.de>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org>
Subject:   Re: pf for netgraph jails?
Message-ID:  <1313531730402208@mail.yandex.ru>
In-Reply-To: <B3F69BC8-9750-484A-985C-583AB9FC4357@FreeBSD.org>
References:  <7D5BD9CC-8A08-4C74-B2E6-E0437235F3B1@FreeBSD.org> <16E8EF1D-9CB0-4158-B0A4-FB4F91A03D2C@punkt.de> <B3F69BC8-9750-484A-985C-583AB9FC4357@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

<div>+ kp@</div><div> </div><div><div>A very interesting question.</div><div> </div><div>I think that's because, ng_ether(4) intercepts L2 traffic before it hits the firewall.</div><div> </div><div>pf(4) can intercept L2 traffic, but I'm not sure that it can then filter it by L3/L4.<br /><br />https://reviews.freebsd.org/D31737</div><div> </div><div>Maybe kp@ will clarify this issue?</div></div><div> </div><div>31.10.2024, 18:32, "Palle Girgensohn" &lt;girgen@freebsd.org&gt;:</div><div> <div> <div><br /> 16 okt. 2024 kl. 18:17 skrev Patrick M. Hausen &lt;hausen@punkt.de&gt;:<br /> <br /> Hi!<br /> <br /> Am 16.10.2024 um 16:19 schrieb Palle Girgensohn &lt;girgen@FreeBSD.org&gt;:<br /> [...]<br /> but nothing happens, everything is passed directly into the jail:<br /> <br /> nc -l 4444 (inside the jail)<br /> <br /> and I can just telnet 1.2.3.4 4444 <br /> Try:<br /> <br /> sysctl net.link.bridge.pfil_member=0<br /> sysctl net.link.bridge.pfil_bridge=1<br /> <br /> Although I do not know if this ablies to netgraph or to if_bridge(4) only.<br /> <br /> But obviously your rules are not applied to the bridge interface. The default<br /> of the tunables above is the other way round - don't filter on bridge interfaces.<br /> <br /> HTH,<br /> Patrick<br /><br />Hallo Patrick,<br /><br />Thanks for the reply. It seems that these MIBs are related to if_bridge, not ng_bridge? I didn't have them at first, men after kldload if_bridge they appeared. They make no difference, though, so perhaps they do not relate to netgraph bridges?<br /><br />Any idea what tuneables would do the job?<br /><br />Thanks,<br /><br />Palle</div></div></div>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1313531730402208>