FreeBSD bridge + filtering, BIG problem
Clément MOULIN
cmoulin at simplerezo.com
Thu Dec 2 14:21:32 PST 2004
Pyun YongHyeon wrote:
>Are you sure you can see *states* with "pfctl -ss"?
>Both pf/ipf can't create states since it couldn't see ANY outbound
>packets in bridge environments. In jail(fw01), you can see states
>since packets go through L3 hook points.
Yes I do (with pf) :
$ pfctl -ss
No ALTQ support in kernel
ALTQ related functions disabled
self tcp ...:3556 <- ...:80 CLOSED:SYN_SENT
self tcp ...:3557 <- ...:80 CLOSED:SYN_SENT
self tcp ...:2970 <- ...:80 CLOSED:SYN_SENT
self tcp ...:80 <- ...:3556 ESTABLISHED:ESTABLISHED
self tcp ...:80 <- ...:3557 ESTABLISHED:ESTABLISHED
self tcp ...:80 <- ...:2970 ESTABLISHED:ESTABLISHED
self tcp ...:80 -> ...:3559 ESTABLISHED:FIN_WAIT_2
self tcp ...:80 -> ...:3565 ESTABLISHED:FIN_WAIT_2
self udp ...:64715 -> ...:53 MULTIPLE:SINGLE
self udp ...:53 <- ...:64715 NO_TRAFFIC:SINGLE
(I have remove IP from output)
--
Clement Moulin
More information about the freebsd-pf
mailing list