PF with if_bridge
Andrew Thompson
thompsa at freebsd.org
Sat Sep 10 06:59:05 PDT 2005
On Sat, Sep 10, 2005 at 06:27:12AM -0400, Sean Dean wrote:
> Hello,
>
> Since I moved over from a OpenBSD bridge to a FreeBSD-6 one with the new
> bridge code I have been having some problems getting my pf.conf to fully
> work. I have tried all the combinations I could think of, but just cant get
> it right. When i first switched over, I used the exact copy of the pf.conf
> from the OpenBSD machine, just substituting the new device names. This
> didn't work at all, and I have made changes to it, possibly inserting an
> error on my part.
>
> # Turing on scrub in this config stops the bridge from working, this was
> not the case
> # in OpenBSD. So we comment it out.
> #scrub in on bridge0 all no-df
Using 'no-df' causes tcp connections to fail for me too, scrubbing
without that option is fine.
> pass in on bridge0 proto tcp from any to 216.58.xxx.xxx port { 22, 25 }
> flags S/SA keep state
Using keep state or directional rules on a bridge interface is generally
a bad idea. The bridge has no notion of direction so a packet coming
from either side will always appear to pf as incoming on the bridge, so
reply packets on stateful connections may not be matched properly. I
dont know if OpenBSD treats this as a special case.
In most cases you should be packet filtering on the member interfaces,
especially where direction and flow is important. Try changing the above
rule to 'pass in on $ext_if ...' instead.
Filtering on the bridge is good where you want to block certain traffic
in any direction, such as all http.
block in on bridge0 proto tcp from any to any port www
Andrew
More information about the freebsd-pf
mailing list