From owner-freebsd-pf@FreeBSD.ORG Mon Dec 6 00:17:08 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B86116A4F4 for ; Mon, 6 Dec 2004 00:17:08 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id C293E43D54 for ; Mon, 6 Dec 2004 00:17:07 +0000 (GMT) (envelope-from josh.kayse@gmail.com) Received: by wproxy.gmail.com with SMTP id 70so21343wra for ; Sun, 05 Dec 2004 16:17:07 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=nKK5EF60mxBbr58HIG18kU+nNIRebJn7R5ibmZ1lq8vF2WspYdBU6QOi+jijVLoXzHRHhueoUi620Q5YGJl87XA3SAWSHtswcPSt/CBOzqwuzsKmQrUwJvEgZZ47FQrS1QPKzsEqi+O0fVmssjlK5mtYTG/bnVS+LSuPabpALsQ= Received: by 10.54.30.59 with SMTP id d59mr1146535wrd; Sun, 05 Dec 2004 16:17:06 -0800 (PST) Received: by 10.54.23.33 with HTTP; Sun, 5 Dec 2004 16:17:05 -0800 (PST) Message-ID: <7c8f27920412051617123672bf@mail.gmail.com> Date: Sun, 5 Dec 2004 19:17:05 -0500 From: Josh Kayse To: yongari@kt-is.co.kr In-Reply-To: <20041202033920.GC12155@kt-is.co.kr> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041201045203.262D443D5C@mx1.FreeBSD.org> <20041201110912.GA9840@kt-is.co.kr> <7c8f27920412010523730447de@mail.gmail.com> <20041202033920.GC12155@kt-is.co.kr> cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gtg062h@mail.gatech.edu List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 00:17:08 -0000 On Thu, 2 Dec 2004 12:39:20 +0900, Pyun YongHyeon wrote: > On Wed, Dec 01, 2004 at 08:23:39AM -0500, Josh Kayse wrote: > > [...] > > > > I know it's been touched on in the past, but can you explain why > > stateful inspection does not work in a bridged mode? And why it only > > filters for inbound traffic? Does ipfw suffer from the same feature? > > Thanks. > > > > Both pf/ipf should see inbound/outbound traffic in order to > create states. But in bridge(4), pfil(9) hook for outbound packet > is absent. ipfw can create states without seeing outbound packet. > Maybe it would be authors intention to reduce overhead by not > checking packets in both directions. > > I guess ipfw can't filter outbound packet in bridged setup too. > > Long time ago, I wrote a patch to add pfil(9) outbound hook > in bridge setup. The patch makes pf's scrub rule work too. > It wouldn't apply to 5.3R but you can see the point. > > http://www.kr.freebsd.org/~yongari/patches/bridge.patch > > > -josh > > > > -- > > Joshua Kayse > > Computer Engineering > > -- > > > Regards, > Pyun YongHyeon > http://www.kr.freebsd.org/~yongari | yongari@freebsd.org > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > I managed to get your patch to apply to FreeBSD RELENG_5. I have a question about the bridge_fragment function though. Would this prevent packets from linux NFS clients from working, the fragmented ones with the DF flag set? Thanks for any information. I'll post the patch later if anyone wants it. It hasn't been thoroughly tested but is currently running on a bridge setup in my test lab with my work machine behind it. -josh -- Joshua Kayse Computer Engineering