From owner-freebsd-questions@FreeBSD.ORG Wed Nov 25 09:48:50 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35AFD1065670 for ; Wed, 25 Nov 2009 09:48:50 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com [209.85.220.218]) by mx1.freebsd.org (Postfix) with ESMTP id 7F4938FC17 for ; Wed, 25 Nov 2009 09:48:49 +0000 (UTC) Received: by fxm10 with SMTP id 10so4764698fxm.14 for ; Wed, 25 Nov 2009 01:48:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ur+kVR1sEuYjhNpl3qB4NhkWXEFqjz4mcSzwB9jzKug=; b=iOOPffbEtElUqXXCDR8NN/PfVgnvNlTsv5ILwd9U0kvM8xCDuPFk6hB5l5YsElKC82 J+NjmVYGrW4FUZFk2WQGRWqbLfPTfjEi9zNsWKMWPahfznQjJrWiHkMDSmY+btaGXkA2 Jphuq7Z79omPBHG6FMRVFo69kKTTFIanEgq/A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=BrSvjyYJCehg9pVrMQTZOZEAYguo1iC/2oXVSkO2Xtdet59TCdfJnrL+flErirk5Xk 586RNY4lIXsLmJt/FKuW7QFq/LsT0nXNpFLSWQURx2u1MKTrgLWukafB93K8X3DHgslh MktBKBpgKPAp2YltLsh2EltKGUDNBKRguO/Jc= MIME-Version: 1.0 Received: by 10.239.162.129 with SMTP id l1mr859975hbd.214.1259142528197; Wed, 25 Nov 2009 01:48:48 -0800 (PST) In-Reply-To: <2b5f066d0911241502x2395b7aey328455f67a9b5d6@mail.gmail.com> References: <2b5f066d0911241502x2395b7aey328455f67a9b5d6@mail.gmail.com> Date: Wed, 25 Nov 2009 09:48:48 +0000 Message-ID: From: krad To: Brian McCann Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions Subject: Re: pf nuttyness X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2009 09:48:50 -0000 2009/11/24 Brian McCann > I'm at the end of my rope here with PF. I have a ruleset loaded, that > is long and complicated...but I've shortened to to a "pass all" rule. > The box has 4 interfaces, one for pfsync, one for me to connect to it, > and two bridged interfaces. The only traffic on the bridged > interfaces is STP and IP multicast traffic from my EIGRP routers. > When I run "pfctl -s rules -v", the EIGRP multicast traffic never hits > any rules...yet it's allowed. > > I'm on FreeBSD 7.1. > > Has anyone else come across this before? I'm ready to throw out > FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since > I use FreeBSD for all my other servers, and having 2 OpenBSD boxes > would just be... weird... > > --Brian > > -- > _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ > Brian McCann > > "I don't have to take this abuse from you -- I've got hundreds of > people waiting to abuse me." > -- Bill Murray, "Ghostbusters" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink) therefore the traffic probably never get to the upper layer of the ip stack where pf works. You can do l2 filtering with ipfw if you enable the sysctl variable net.link.bridge.ipfw=1. However im not sure if you can do it with pf on freebsd. I had a quick scout through the man pages and cant see anything. However im fairly sure you can to l2 stuff with pf in openbsd. As your traffic is multicast you could always configure you bsd box as a multicast router rather than bridging the traffic. pf should see the traffic then as your working at l3 and above