From owner-freebsd-pf@FreeBSD.ORG  Mon Nov 28 20:21:03 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 24C4B16A41F
	for <freebsd-pf@freebsd.org>; Mon, 28 Nov 2005 20:21:03 +0000 (GMT)
	(envelope-from michiel@nl-hrln-ptgrf.net)
Received: from mail.nl-hrln-ptgrf.net (83-138.surfsnel.dsl.internl.net
	[145.99.138.83])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4B67B43D53
	for <freebsd-pf@freebsd.org>; Mon, 28 Nov 2005 20:21:01 +0000 (GMT)
	(envelope-from michiel@nl-hrln-ptgrf.net)
Received: from ws01michiel (85-138.surfsnel.dsl.internl.net [145.99.138.85])
	by mail.nl-hrln-ptgrf.net (Postfix) with ESMTP id 337CA193636
	for <freebsd-pf@freebsd.org>; Mon, 28 Nov 2005 19:07:21 +0000 (UTC)
From: "Michiel Kranenburg" <michiel@nl-hrln-ptgrf.net>
To: <freebsd-pf@freebsd.org>
Date: Mon, 28 Nov 2005 21:22:15 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcX0WWxtZ4gahsCyR5KfA201zE4xrA==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-Id: <20051128190721.337CA193636@mail.nl-hrln-ptgrf.net>
Subject: OpenBSD's PF with a bridge on FreeBSD 6.x
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2005 20:21:03 -0000

Hi all,

I=92m currently running FreeBSD 6.0-RELEASE.=20

I have 2 ethernet-cards running in promisc mode that should bridge my =
ISP
modem with my switch.

xl0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu =
1500
=A0=A0=A0=A0=A0=A0=A0 options=3D9<RXCSUM,VLAN_MTU>
=A0=A0=A0=A0=A0=A0=A0 inet6 fe80::201:2ff:fe09:84f3%xl0 prefixlen 64 =
scopeid 0x1
=A0=A0=A0=A0=A0=A0=A0 inet 145.99.138.82 netmask 0xfffffff0 broadcast =
145.99.138.95
=A0=A0=A0=A0=A0=A0=A0 inet 145.99.138.83 netmask 0xfffffff0 broadcast =
145.99.138.95
=A0=A0=A0=A0=A0=A0=A0 ether 00:01:02:09:84:f3
=A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (100baseTX =
<full-duplex>)
=A0=A0=A0=A0=A0=A0=A0 status: active
xl2: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu =
1500
=A0=A0=A0=A0=A0=A0=A0 options=3D9<RXCSUM,VLAN_MTU>
=A0=A0=A0=A0=A0=A0=A0 inet6 fe80::250:4ff:fe55:2852%xl2 prefixlen 64 =
scopeid 0x3
=A0=A0=A0=A0=A0=A0=A0 ether 00:50:04:55:28:52
=A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (100baseTX =
<full-duplex>)
=A0=A0=A0=A0=A0=A0=A0 status: active


Currently this is my situation:

( Internet (/28) )=A0 <->=A0 ( xl0 ) <bridge> ( xl2 ) =A0<-> =A0( =
switchs ) =A0<-> =A0(
clients )

The problem is that I want PF (OpenBSD=92s Packet Filter) to firewall my
server and the bridge (for the clients).
The packet filter works great for the server, it handles packets that =
are
defined in the ruleset perfectly.

The real problem relies on filtering the bridge, PF passes all traffic =
too
the bridge _even_ when some kind of traffic is blocked on xl0. (So it
shouldn=92t be on the network anyway)

Can someone help me to get filtering on de bridge to work?

Please CC me as I'm not subscribed to this list!


With kind regards,
Michiel Kranenburg