From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:47:00 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id AA42116A4D0; Thu, 16 Sep 2004 03:47:00 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 97575 invoked by uid 1005); 27 Aug 2003 04:51:37 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 97572 invoked from network); 27 Aug 2003 04:51:37 -0000 Received: from moutng.kundenserver.de (212.227.126.177) by pd95308d3.dip.t-dialin.net with SMTP; 27 Aug 2003 04:51:37 -0000 Received: from [212.227.126.163] (helo=mxng10.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19rtAT-0005k8-00 for max@vampire.homelinux.org; Wed, 27 Aug 2003 07:48:29 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng10.kundenserver.de with esmtp (Exim 3.35 #1) id 19rt9x-0003UF-00 for max@love2party.net; Wed, 27 Aug 2003 07:47:57 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id 18F06390945; Wed, 27 Aug 2003 00:48:53 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Wed, 27 Aug 2003 00:48:48 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from mail.precisionautobody.com (adsl-63-194-17-43.dsl.lsan03.pacbell.net [63.194.17.43]) ESMTP id 3E30D3908F3 for ; Wed, 27 Aug 2003 00:48:48 -0500 (EST) Received: from alan.precisionautobody.com (ip68-4-151-98.oc.oc.cox.net [68.4.151.98]) by mail.precisionautobody.com (Postfix) with ESMTP id 9D3562118; Tue, 26 Aug 2003 22:48:10 -0700 (PDT) From: Alan Bryan To: pf4freebsd@freelists.org, "Max Laier" User-Agent: KMail/1.5 References: <200308262103.12394.alan@precisionautobody.com> <004701c36c53$ed0c0860$01000001@max900> In-Reply-To: <004701c36c53$ed0c0860$01000001@max900> MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <200308262247.46254.alan@precisionautobody.com> X-archive-position: 108 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: alan@precisionautobody.com Precedence: normal X-list: pf4freebsd X-UID: 219 X-Length: 4378 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000 Subject: [pf4freebsd] Re: Bridging? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:47:00 -0000 X-Original-Date: Tue, 26 Aug 2003 22:47:46 -0700 X-List-Received-Date: Thu, 16 Sep 2004 03:47:00 -0000 Thanks for the quick response! Here's a bit more info: FreeBSD 5.1 Release. Rebuilt Kernel with: options BRIDGE options PFIL_HOOKS options RANDOM_IP_ID options INET6 my /etc/sysctl.conf has: net.link.ether.bridge_cfg=dc0, dc1 net.link.ether.bridge_ipf=1 net.link.ether.bridge=1 No IPs are assigned to either NIC My /usr/local/etc/pf.conf: block log When I do all of that I get a working bridge but it doesn't block anything except some port 137 broadcast packets (by watching pftcpdump results as recommended). I can still ping through the bridge both directions and connect via ssh through the bridge. Given the above config shouldn't everything be blocked? Does anyone see something I've done wrong or omitted? Thanks, Alan On Tuesday 26 August 2003 09:30 pm, Max Laier wrote: > bridge.c has PFIL_HOOKS implemented. All you should have to do is: > > # sysctl net.link.ether.bdg_ipf=1 > > More documentation can be found in the sources: > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/bridge.c#rev1.48 > Note the part about "This will not work in (...) the bridge.ko module.", > you need built in bridge to make it work. > > Best way to test, is to load a ruleset only containing: > block log > and then > $pftcpdump -n -e -ttt -i pflog0 > while generating traffic from both sides. This will give you an idea what > filter rules you'll need. > > ----- Original Message ----- > From: "Alan Bryan" > To: > Sent: Wednesday, August 27, 2003 6:03 AM > Subject: [pf4freebsd] Bridging? > > > I can't seem to find any information about pf and bridging on FreeBSD. > > I've > > > got my bridge set up and working but seem to be unable to get pf to block > > any > > > traffic through the bridge. > > > > Before I waste more time on this has anyone else successfully used pf on > > a FreeBSD bridge? > > > > Thanks, > > Alan