From owner-freebsd-questions@FreeBSD.ORG Wed Nov 25 14:00:58 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1636106566C for ; Wed, 25 Nov 2009 14:00:58 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from ostracod.unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 0C4058FC1E for ; Wed, 25 Nov 2009 14:00:57 +0000 (UTC) Received: from vhoffman-macbook.local (52.shared.namesco.net [195.7.254.52] (may be forged)) (authenticated bits=0) by ostracod.unsane.co.uk (8.14.3/8.14.3) with ESMTP id nAPE1Z5U030594 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Nov 2009 14:01:36 GMT (envelope-from vince@unsane.co.uk) Message-ID: <4B0D3897.808@unsane.co.uk> Date: Wed, 25 Nov 2009 14:00:55 +0000 From: Vincent Hoffman User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: krad References: <2b5f066d0911241502x2395b7aey328455f67a9b5d6@mail.gmail.com> In-Reply-To: X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Brian McCann , freebsd-questions Subject: Re: pf nuttyness X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2009 14:00:58 -0000 krad wrote: > 2009/11/24 Brian McCann > > >> I'm at the end of my rope here with PF. I have a ruleset loaded, that >> is long and complicated...but I've shortened to to a "pass all" rule. >> The box has 4 interfaces, one for pfsync, one for me to connect to it, >> and two bridged interfaces. The only traffic on the bridged >> interfaces is STP and IP multicast traffic from my EIGRP routers. >> When I run "pfctl -s rules -v", the EIGRP multicast traffic never hits >> any rules...yet it's allowed. >> >> I'm on FreeBSD 7.1. >> >> Has anyone else come across this before? I'm ready to throw out >> FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since >> I use FreeBSD for all my other servers, and having 2 OpenBSD boxes >> would just be... weird... >> >> --Brian >> Have you read the if_bridge(4) manpage? I'd reccommend starting at the heading "PACKET FILTERING" and checking you have the correct sysctl settings. pf certainly can filter bridge interfaces according to the manpage. That said I've never tried it. Vince >> -- >> _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ >> Brian McCann >> >> "I don't have to take this abuse from you -- I've got hundreds of >> people waiting to abuse me." >> -- Bill Murray, "Ghostbusters" >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> >> > > pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink) > therefore the traffic probably never get to the upper layer of the ip stack > where pf works. > > You can do l2 filtering with ipfw if you enable the sysctl variable > net.link.bridge.ipfw=1. However im not sure if you can do it with pf on > freebsd. I had a quick scout through the man pages and cant see anything. > However im fairly sure you can to l2 stuff with pf in openbsd. > > As your traffic is multicast you could always configure you bsd box as a > multicast router rather than bridging the traffic. pf should see the traffic > then as your working at l3 and above > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >