Re: The best of both worlds “using mac filtering in pf”

Ultima ultima1252 at
Fri Jul 10 20:30:46 UTC 2020

Please go in detail about this issue on why you would need to filter layer

I see very little benefit to having the ability to filter on layer 2 except
in some very special cases and IPv6 isn't one of them that I'm aware of.

Best regards,
Richard Gallamore

On Fri, Jul 10, 2020 at 10:57 AM <l.m.v.breda at> wrote:

> Hello,
> I am using pfSense, build on top of pf. And of course pfSense/pf is a
> terrific firewall, however the world is changing in the direction of IPV6
> and that leads to new issues and related new requirements.
> One of the major issues is that IPV6 does not provide a stable source
> address you can use to filter in your firewall.
> Many firewalls “out there” are *using the level-2 mac as a way around this
> issue*. � However ….. pfSense cannot provide that functionality, since it
> is built on top of …… pf.
> Tja, and then there is a “striking” issue ….. suppose that pfSense would
> have been built on top of OpenBSD, still using pf ………. That had been
> possible …….
> So as user I would be very pleased if there could be a joined “pf-release”
> having *best of both worlds* !!!!
> Assume we were running OpenBSD …… things like � �
> step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag
> <sometag>
> step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy
> based rule)
> would have been an option, …. not saying it is the best option …..
> �better option would be if pf could set the tag itself
> Whatever please consider adding this functionality to pf preferable on
> short term, since IPV6 is fast becoming very important!
> Sincerely,
> Louis
> PS … should I raise an feature request for this?
> _______________________________________________
> freebsd-pf at mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at"

More information about the freebsd-pf mailing list