Filtering bridge with pf.

[Carsten Sonne Larsen]

Thanks for the replies.

I also run a 3 NIC setup. I do the filtering on interfaces to control 
directions, eg. what goes in and what goes out.

The sysctl are:
net.link.bridge.pfil_bridge=1
net.link.bridge.pfil_member=1

Im not sure why I didnt add the two other lines. I think I followed chapter 38 of the FreeBSD Handbook. I did omit ALTQ_NOPCC while compiling the kernel though.

Rules are maybe not so well formed. Examples are:
...
block log on $ext_if all
block log on $int_if all
block log on $mgt_if all
pass in quick on $int_if inet proto tcp from $ext_ip2 to any keep state
pass out quick on $ext_if inet proto tcp from $ext_ip2 to any keep state
pass in quick on $int_if inet proto udp from $ext_ip2 to any keep state
pass out quick on $ext_if inet proto udp from $ext_ip2 to any keep state
...

antispoof is only specified for the management interface.

I run some other instances of pf, but not in bridge mode. All are deployed with 8.3 and they work perfectly fine. tcpdump on those shows up like:
rule 25/0(match): block out on em1 ...

-cs

On 04/04/2013 19:48, wishmaster wrote:
>
>   --- Original message ---
> From: "Carsten Sonne Larsen" <cs at innolan.dk>
> Date: 4 April 2013, 17:49:07
>
>   
>> Hello guy,
>>
>> I am using pf to implement a filtering bridge but Im experinces some
>> strange behaviour from pf. While using tcpdump I get entries like this:
>>
>> 16:25:45.998253 rule 2..16777216/0(match): block in on rl0:
>> 192.168.0.1.32768 > 239.255.255.250.1900: UDP, length 339
>>
>> I am using the keyword *quick* and would expect a certain rule match
>> instead of rule 2..16777216
>>
>     Hi.
>
>   What is your sysctl's?
>
>   Below from my production server with 3 NIC's in bridge. I use filtering only on the bridge0 interface.
>
> net.link.bridge.pfil_local_phys: 0
> net.link.bridge.pfil_member: 0
> net.link.bridge.pfil_bridge: 1
> net.link.bridge.pfil_onlyip: 1
>
>   and set skip quick on [[members]] in pf.conf.
>
>