Filtering on a sensor dedicated interface
Daniel Hartmeier
daniel at benzedrine.cx
Tue May 10 17:38:53 UTC 2011
On Tue, May 10, 2011 at 06:45:08PM +0200, Nicolas GRENECHE wrote:
> Regarding tcpdump, packets seems to go through the interface. Why does
> pf doesn't see them ?
The destination MAC addresses of the ethernet frames do not match the
firewall's.
By putting the interfaces into promiscuous mode, the frames are copied
to BPF readers (like tcpdump), but the host then ignores the frame.
Since the host is neither the recipient nor bridging, there is no reason
to pf filter the packet, as the frame will be dropped anyway.
I guess you could add the interfaces to bridges or some such construct,
to get pf filtering involved. It depends on WHY you want pf to filter
something you don't want to forward, i.e. what would be the purpose of
the packet showing up on pflog.
Daniel
More information about the freebsd-pf
mailing list