[pf4freebsd] Re: Bridging?
Alan Bryan
alan at precisionautobody.com
Wed Sep 15 20:47:25 PDT 2004
On Wednesday 27 August 2003 03:53 pm, Max Laier wrote:
> That's strange. Can you send output of "pfctl -gvvsa" after some traffic.
> Maybe with this ruleset:
>
> block in log
> block out log
> <<<<
Done. See way down below (also attached in case formatting is weird). I sent
traffic in both directions. A port scan in one direction and a machine
browsing the web in the other. About 5 minutes of traffic.
>
> If you have time to test a bit, I'd like to send you some debugging code to
> run, as I don't have a bridge setup at hand for testing.
>
OK - send away. Anything I can do to help. I have tons of time and really
need to get this working ASAP.
Another strange tidbit of info - I needed to get the results of "pfctl -gvvsa"
onto my other machine to type up this email so I enabled the default route
and gave one card an IP in rc.conf and rebooted. When it came back up I
couldn't ssh to the box (as expected) because the block rules were still
there. So pf seems to work once I've bound an IP address to a NIC but
ignores the bridge???
Thanks for the help,
Alan
@0 block drop in log all
[ Skip steps: i=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
[ Evaluations: 50 Packets: 50 Bytes: 6853 States: 0 ]
@1 block drop out log all
[ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
[ Evaluations: 50 Packets: 0 Bytes: 0 States: 0 ]
Status: Enabled for 0 days 00:06:53 Debug: None
State Table Total Rate
current entries 0
searches 50 0.1/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 50 0.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
states hard limit 10000
frags hard limit 5000
-------------- next part --------------
@0 block drop in log all
[ Skip steps: i=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
[ Evaluations: 50 Packets: 50 Bytes: 6853 States: 0 ]
@1 block drop out log all
[ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
[ Evaluations: 50 Packets: 0 Bytes: 0 States: 0 ]
Status: Enabled for 0 days 00:06:53 Debug: None
State Table Total Rate
current entries 0
searches 50 0.1/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 50 0.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
states hard limit 10000
frags hard limit 5000
More information about the freebsd-pf
mailing list