pf nuttyness

[krad]

2009/11/24 Brian McCann <bjmccann at gmail.com>

> I'm at the end of my rope here with PF.  I have a ruleset loaded, that
> is long and complicated...but I've shortened to to a "pass all" rule.
> The box has 4 interfaces, one for pfsync, one for me to connect to it,
> and two bridged interfaces.  The only traffic on the bridged
> interfaces is STP and IP multicast traffic from my EIGRP routers.
> When I run "pfctl -s rules -v", the EIGRP multicast traffic never hits
> any rules...yet it's allowed.
>
> I'm on FreeBSD 7.1.
>
> Has anyone else come across this before?  I'm ready to throw out
> FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since
> I use FreeBSD for all my other servers, and having 2 OpenBSD boxes
> would just be... weird...
>
> --Brian
>
> --
> _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_
> Brian McCann
>
> "I don't have to take this abuse from you -- I've got hundreds of
> people waiting to abuse me."
>                -- Bill Murray, "Ghostbusters"
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink)
therefore the traffic probably never get to the upper layer of the ip stack
where pf works.

You can do l2 filtering with ipfw if you enable the sysctl variable
net.link.bridge.ipfw=1. However im not sure if you can do it with pf on
freebsd. I had a quick scout through the man pages and cant see anything.
However im fairly sure you can to l2 stuff with pf in openbsd.

As your traffic is multicast you could always configure you bsd box as a
multicast router rather than bridging the traffic. pf should see the traffic
then as your working at l3 and above