Date: Thu, 16 Sep 2004 03:54:03 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: Bridging Message-ID: <20031006024636.GC735@kt-is.co.kr> In-Reply-To: <20031005201002.11d31f6e.temper@probsd.net> References: <200308262103.12394.alan@precisionautobody.com> <200308262247.46254.alan@precisionautobody.com> <01a901c36cee$09bd6810$01000001@max900> <200308271625.05235.alan@precisionautobody.com> <025801c36cfa$3e756290$01000001@max900> <1062074062.31217.14.camel@quark.avioc.org> <01ad01c370ab$a55b2bc0$01000001@max900> <1062509878.337.18.camel@quark.avioc.org> <009001c3715b$d5840eb0$01000001@max900> <20031005201002.11d31f6e.temper@probsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 05, 2003 at 08:10:02PM -0500, temper wrote: > So has anyone been testing bridging on 1.64+? > > my ip-less bridge would apear at first to work but i'm having > problems where traffic is passing through even though there is a block rule and nothing is even showing up on any "out" rules on the external interface at all. > > I hate posting on mailing lists because theres so much explaining to do and it takes so long to do. I'm usualy on #pf on irc.freenode.net seeking > help on this subject. > You have missed one important thing. Both pf and ipf can't see outgoing packets due to limitations of bridge(4) in FreeBSD. To see packets going through both in/out directions, bridge(4) should be heavily modified. For ipfw(4), this is not important. Since ipfw(4) has no ability to track established states accurately, it is meaningless to see both in/out traffics. The author of ipfw(4) might not want to see unnecessary traffic, as it amplifies processing burden to CPU.(IMO) At present, you may do filtering with the following restrictions on bridge. 1. do filtering for inbound traffic only 2. use state-less rules only Yes, it has very limited use only. I am trying to modify bridge(4) to overcome this situation. However, bridge(4) is very complex code and it takes time for me to ensure correctness of my code. So I can't simply say the ETA. If I manage to work, I'll let you know via this lists. Thanks. > -temper@probsd.net > Regards, Pyun YongHyeon -- Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031006024636.GC735>