[pf4freebsd] Re: Bridging?
Alan Bryan
alan at precisionautobody.com
Wed Sep 15 20:47:00 PDT 2004
Thanks for the quick response!
Here's a bit more info:
FreeBSD 5.1 Release.
Rebuilt Kernel with:
options BRIDGE
options PFIL_HOOKS
options RANDOM_IP_ID
options INET6
my /etc/sysctl.conf has:
net.link.ether.bridge_cfg=dc0, dc1
net.link.ether.bridge_ipf=1
net.link.ether.bridge=1
No IPs are assigned to either NIC
My /usr/local/etc/pf.conf:
block log
When I do all of that I get a working bridge but it doesn't block anything
except some port 137 broadcast packets (by watching pftcpdump results as
recommended). I can still ping through the bridge both directions and
connect via ssh through the bridge.
Given the above config shouldn't everything be blocked? Does anyone see
something I've done wrong or omitted?
Thanks,
Alan
On Tuesday 26 August 2003 09:30 pm, Max Laier wrote:
> bridge.c has PFIL_HOOKS implemented. All you should have to do is:
>
> # sysctl net.link.ether.bdg_ipf=1
>
> More documentation can be found in the sources:
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/bridge.c#rev1.48
> Note the part about "This will not work in (...) the bridge.ko module.",
> you need built in bridge to make it work.
>
> Best way to test, is to load a ruleset only containing:
> block log
> and then
> $pftcpdump -n -e -ttt -i pflog0
> while generating traffic from both sides. This will give you an idea what
> filter rules you'll need.
>
> ----- Original Message -----
> From: "Alan Bryan" <alan at precisionautobody.com>
> To: <pf4freebsd at freelists.org>
> Sent: Wednesday, August 27, 2003 6:03 AM
> Subject: [pf4freebsd] Bridging?
>
> > I can't seem to find any information about pf and bridging on FreeBSD.
>
> I've
>
> > got my bridge set up and working but seem to be unable to get pf to block
>
> any
>
> > traffic through the bridge.
> >
> > Before I waste more time on this has anyone else successfully used pf on
> > a FreeBSD bridge?
> >
> > Thanks,
> > Alan
More information about the freebsd-pf
mailing list