From owner-freebsd-pf@FreeBSD.ORG Fri Apr 5 13:01:44 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2A24E54B for ; Fri, 5 Apr 2013 13:01:44 +0000 (UTC) (envelope-from cs@innolan.dk) Received: from serv.innomanslan.tf (0126800067.1.fullrate.dk [95.166.204.165]) by mx1.freebsd.org (Postfix) with ESMTP id A112D5F5 for ; Fri, 5 Apr 2013 13:01:42 +0000 (UTC) Received: from [192.168.44.228] (192.168.44.228) by serv.innomanslan.tf (Axigen) with ESMTP id 20A262; Fri, 5 Apr 2013 15:01:39 +0200 Message-ID: <515ECB33.7030202@innolan.dk> Date: Fri, 05 Apr 2013 15:01:39 +0200 From: Carsten Sonne Larsen User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130324 Thunderbird/17.0.4 MIME-Version: 1.0 To: wishmaster Subject: Solved: Filtering bridge with pf. References: <515D8F9D.3080001@innolan.dk> <89362.1365097697.16075958140210511872@ffe10.ukr.net> <515DE6C0.2020701@innolan.dk> In-Reply-To: <515DE6C0.2020701@innolan.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2013 13:01:44 -0000 After reading carefully through the man pages of if_bridge, sysctl's are now: net.link.bridge.pfil_onlyip=1 net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_local_phys=1 net.link.bridge.ipfw=0 net.link.bridge.ipfw_arp=0 Statistics with pftop and "pfctl -vs rules" still shows an accumulated number of states. Also tcpdump still shows a rule range instead of a fixed rule number, while pftop shows * in the rule column. Nevertheless, the bridge seems to work as intended. > > On 04/04/2013 19:48, wishmaster wrote: >> >> What is your sysctl's? >> >> Below from my production server with 3 NIC's in bridge. I use >> filtering only on the bridge0 interface. >> >> net.link.bridge.pfil_local_phys: 0 >> net.link.bridge.pfil_member: 0 >> net.link.bridge.pfil_bridge: 1 >> net.link.bridge.pfil_onlyip: 1 >>