Date: Fri, 05 Apr 2013 15:01:39 +0200 From: Carsten Sonne Larsen <cs@innolan.dk> To: wishmaster <artemrts@ukr.net> Cc: freebsd-pf@freebsd.org Subject: Solved: Filtering bridge with pf. Message-ID: <515ECB33.7030202@innolan.dk> In-Reply-To: <515DE6C0.2020701@innolan.dk> References: <515D8F9D.3080001@innolan.dk> <89362.1365097697.16075958140210511872@ffe10.ukr.net> <515DE6C0.2020701@innolan.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
After reading carefully through the man pages of if_bridge, sysctl's are now: net.link.bridge.pfil_onlyip=1 net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_local_phys=1 net.link.bridge.ipfw=0 net.link.bridge.ipfw_arp=0 Statistics with pftop and "pfctl -vs rules" still shows an accumulated number of states. Also tcpdump still shows a rule range instead of a fixed rule number, while pftop shows * in the rule column. Nevertheless, the bridge seems to work as intended. > > On 04/04/2013 19:48, wishmaster wrote: >> >> What is your sysctl's? >> >> Below from my production server with 3 NIC's in bridge. I use >> filtering only on the bridge0 interface. >> >> net.link.bridge.pfil_local_phys: 0 >> net.link.bridge.pfil_member: 0 >> net.link.bridge.pfil_bridge: 1 >> net.link.bridge.pfil_onlyip: 1 >>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?515ECB33.7030202>