From owner-freebsd-pf@FreeBSD.ORG Tue Dec 6 20:11:48 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 827B816A41F for ; Tue, 6 Dec 2005 20:11:48 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5958743DA7 for ; Tue, 6 Dec 2005 20:11:42 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 31398 invoked by uid 89); 6 Dec 2005 20:11:36 -0000 Received: by simscan 1.1.0 ppid: 31389, pid: 31391, t: 4.6777s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 6 Dec 2005 20:11:31 -0000 Message-ID: <4395F073.7080804@wombatsweb.com> Date: Tue, 06 Dec 2005 15:11:31 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <43904815.4070805@wombatsweb.com> <43908AB1.7030107@freebsd.org> <43909B86.4050308@wombatsweb.com> <43909F53.4010905@freebsd.org> <4390C868.5010705@wombatsweb.com> <4390EEBE.5090206@freebsd.org> <43918534.7070001@wombatsweb.com> <439256D9.9070201@freebsd.org> <4395D05B.2070709@wombatsweb.com> In-Reply-To: <4395D05B.2070709@wombatsweb.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, HOT_NASTY autolearn=ham version=3.0.2 Subject: Re: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2005 20:11:48 -0000 David Pierron on 12/06/2005 12:54 PM wrote: > Couple questions re: if_bridge ... > > Regardless of the order: > > block out log on $ext_if all > block in log on $ext_if all > > I see blocks only coming "in" ... > > 042341 rule 4/0(match): block in on fxp0: xxx.xxx.xxx.xxx.32912 > > my.c.class.xxx.53: 59540 A? www.foo.org. (37) > > It seems to me that the only direction available on the interfaces of > the bridge is "in" ... Is this true? > > If this is the case, does this mean that ALTQ is unavailable using > if_bridge since I've read that ALTQ can only be used on the "out" of > an interface? I answered my own question with a test as suggested by someone on IRC ... I allowed all incoming traffic "in" on $ext_if and blocked all "out" traffic on $int_if ... This showed the "out" rule applied from the $int_if, so this answers my question, it does work as expected ... It seems now that if I add a "pass in" rule for $ext_if that I will also need a "pass out" rule for $int_if ... I can't decide if this is a good or bad thing ...