Date: Thu, 04 Apr 2013 22:46:56 +0200 From: Carsten Sonne Larsen <cs@innolan.dk> To: freebsd-pf@freebsd.org Subject: Re: Filtering bridge with pf. Message-ID: <515DE6C0.2020701@innolan.dk> In-Reply-To: <89362.1365097697.16075958140210511872@ffe10.ukr.net> References: <515D8F9D.3080001@innolan.dk> <89362.1365097697.16075958140210511872@ffe10.ukr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the replies. I also run a 3 NIC setup. I do the filtering on interfaces to control directions, eg. what goes in and what goes out. The sysctl are: net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_member=1 Im not sure why I didnt add the two other lines. I think I followed chapter 38 of the FreeBSD Handbook. I did omit ALTQ_NOPCC while compiling the kernel though. Rules are maybe not so well formed. Examples are: ... block log on $ext_if all block log on $int_if all block log on $mgt_if all pass in quick on $int_if inet proto tcp from $ext_ip2 to any keep state pass out quick on $ext_if inet proto tcp from $ext_ip2 to any keep state pass in quick on $int_if inet proto udp from $ext_ip2 to any keep state pass out quick on $ext_if inet proto udp from $ext_ip2 to any keep state ... antispoof is only specified for the management interface. I run some other instances of pf, but not in bridge mode. All are deployed with 8.3 and they work perfectly fine. tcpdump on those shows up like: rule 25/0(match): block out on em1 ... -cs On 04/04/2013 19:48, wishmaster wrote: > > --- Original message --- > From: "Carsten Sonne Larsen" <cs@innolan.dk> > Date: 4 April 2013, 17:49:07 > > >> Hello guy, >> >> I am using pf to implement a filtering bridge but Im experinces some >> strange behaviour from pf. While using tcpdump I get entries like this: >> >> 16:25:45.998253 rule 2..16777216/0(match): block in on rl0: >> 192.168.0.1.32768 > 239.255.255.250.1900: UDP, length 339 >> >> I am using the keyword *quick* and would expect a certain rule match >> instead of rule 2..16777216 >> > Hi. > > What is your sysctl's? > > Below from my production server with 3 NIC's in bridge. I use filtering only on the bridge0 interface. > > net.link.bridge.pfil_local_phys: 0 > net.link.bridge.pfil_member: 0 > net.link.bridge.pfil_bridge: 1 > net.link.bridge.pfil_onlyip: 1 > > and set skip quick on [[members]] in pf.conf. > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?515DE6C0.2020701>