FreeBSD bridge + filtering, BIG problem
Jon Simola
jsimola at gmail.com
Wed Dec 1 09:43:23 PST 2004
On Wed, 1 Dec 2004 08:23:39 -0500, Josh Kayse <josh.kayse at gmail.com> wrote:
> I know it's been touched on in the past, but can you explain why
> stateful inspection does not work in a bridged mode? And why it only
> filters for inbound traffic? Does ipfw suffer from the same feature?
'man ipfw' and look at the PACKET FLOW section. Bridged packets are
only passed to the firewall at layer2 and only via the bdg_forward
path. There is no path through ip_output or ether_output_frame, so
it's easiest to think of ipfw being unable to check packets only as
they enter and not as they leave.
More information about the freebsd-pf
mailing list