From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:54:03 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 0A99D16A4CF; Thu, 16 Sep 2004 03:54:03 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 28200 invoked by uid 1005); 6 Oct 2003 02:49:31 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 28197 invoked from network); 6 Oct 2003 02:49:31 -0000 Received: from moutng.kundenserver.de (212.227.126.187) by p50839970.dip.t-dialin.net with SMTP; 6 Oct 2003 02:49:31 -0000 Received: from [212.227.126.213] (helo=mxng17.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1A6LOe-00022t-00 for max@vampire.homelinux.org; Mon, 06 Oct 2003 04:46:52 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng17.kundenserver.de with esmtp (Exim 3.35 #1) id 1A6LOb-0001CV-00 for max@love2party.net; Mon, 06 Oct 2003 04:46:49 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id 42784390A1D; Sun, 5 Oct 2003 21:41:27 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Sun, 05 Oct 2003 21:41:21 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) ESMTP id CCB72390A0B for ; Sun, 5 Oct 2003 21:41:19 -0500 (EST) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id h962kD5G099130 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Mon, 6 Oct 2003 11:46:15 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.9/8.12.9) with ESMTP id h962kaX0000928 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 6 Oct 2003 11:46:36 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.9/8.12.9/Submit) id h962kaLS000927 for pf4freebsd@freelists.org; Mon, 6 Oct 2003 11:46:36 +0900 (KST) (envelope-from yongari@kt-is.co.kr) From: Pyun YongHyeon To: pf4freebsd@freelists.org Message-ID: <20031006024636.GC735@kt-is.co.kr> References: <200308262103.12394.alan@precisionautobody.com> <200308262247.46254.alan@precisionautobody.com> <01a901c36cee$09bd6810$01000001@max900> <200308271625.05235.alan@precisionautobody.com> <025801c36cfa$3e756290$01000001@max900> <1062074062.31217.14.camel@quark.avioc.org> <01ad01c370ab$a55b2bc0$01000001@max900> <1062509878.337.18.camel@quark.avioc.org> <009001c3715b$d5840eb0$01000001@max900> <20031005201002.11d31f6e.temper@probsd.net> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031005201002.11d31f6e.temper@probsd.net> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) X-archive-position: 188 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: yongari@kt-is.co.kr Precedence: normal X-list: pf4freebsd Content-Transfer-Encoding: quoted-printable X-UID: 303 X-Length: 5001 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000 Subject: [pf4freebsd] Re: Bridging X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:54:03 -0000 X-Original-Date: Mon, 6 Oct 2003 11:46:36 +0900 X-List-Received-Date: Thu, 16 Sep 2004 03:54:03 -0000 On Sun, Oct 05, 2003 at 08:10:02PM -0500, temper wrote: > So has anyone been testing bridging on 1.64+? >=20 > my ip-less bridge would apear at first to work but i'm having > problems where traffic is passing through even though there is a block= rule and nothing is even showing up on any "out" rules on the external i= nterface at all.=20 >=20 > I hate posting on mailing lists because theres so much explaining to d= o and it takes so long to do. I'm usualy on #pf on irc.freenode.net seeki= ng=20 > help on this subject. >=20 You have missed one important thing. Both pf and ipf can't see outgoing packets due to limitations of bridge(4) in FreeBSD. To see packets going through both in/out directions, bridge(4) should be heavily modified. For ipfw(4), this is not important. Since ipfw(4) has no ability to track established states accurately, it is meaningless to see both in/out traffics. The author of ipfw(4) might not want to see unnecessary traffic= , as it amplifies processing burden to CPU.(IMO) At present, you may do filtering with the following restrictions on bridg= e. 1. do filtering for inbound traffic only 2. use state-less rules only Yes, it has very limited use only. I am trying to modify bridge(4) to overcome this situation. However, bridge(4) is very complex code and it takes time for me to ensure correctness of my code. So I can't simply say the ETA. If I manage to work, I'll let you know via this lists. Thanks. > -temper@probsd.net >=20 Regards, Pyun YongHyeon --=20 Pyun YongHyeon