FBSD6 if_bridge
David Pierron
david at wombatsweb.com
Tue Dec 6 20:11:48 GMT 2005
David Pierron on 12/06/2005 12:54 PM wrote:
> Couple questions re: if_bridge ...
>
> Regardless of the order:
>
> block out log on $ext_if all
> block in log on $ext_if all
>
> I see blocks only coming "in" ...
>
> 042341 rule 4/0(match): block in on fxp0: xxx.xxx.xxx.xxx.32912 >
> my.c.class.xxx.53: 59540 A? www.foo.org. (37)
>
> It seems to me that the only direction available on the interfaces of
> the bridge is "in" ... Is this true?
>
> If this is the case, does this mean that ALTQ is unavailable using
> if_bridge since I've read that ALTQ can only be used on the "out" of
> an interface?
I answered my own question with a test as suggested by someone on IRC ...
I allowed all incoming traffic "in" on $ext_if and blocked all "out"
traffic on $int_if ...
This showed the "out" rule applied from the $int_if, so this answers my
question, it does work as expected ...
It seems now that if I add a "pass in" rule for $ext_if that I will also
need a "pass out" rule for $int_if ...
I can't decide if this is a good or bad thing ...
More information about the freebsd-pf
mailing list