pf nuttyness

Vincent Hoffman vince at unsane.co.uk
Wed Nov 25 14:00:58 UTC 2009 

krad wrote:
> 2009/11/24 Brian McCann <bjmccann at gmail.com>
>
>   
>> I'm at the end of my rope here with PF.  I have a ruleset loaded, that
>> is long and complicated...but I've shortened to to a "pass all" rule.
>> The box has 4 interfaces, one for pfsync, one for me to connect to it,
>> and two bridged interfaces.  The only traffic on the bridged
>> interfaces is STP and IP multicast traffic from my EIGRP routers.
>> When I run "pfctl -s rules -v", the EIGRP multicast traffic never hits
>> any rules...yet it's allowed.
>>
>> I'm on FreeBSD 7.1.
>>
>> Has anyone else come across this before?  I'm ready to throw out
>> FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since
>> I use FreeBSD for all my other servers, and having 2 OpenBSD boxes
>> would just be... weird...
>>
>> --Brian
>>     

Have you read the if_bridge(4) manpage? I'd reccommend starting at the
heading "PACKET FILTERING" and checking you have the correct sysctl
settings.
pf certainly can filter bridge interfaces according to the manpage. That
said I've never tried it.


Vince
>> --
>> _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_
>> Brian McCann
>>
>> "I don't have to take this abuse from you -- I've got hundreds of
>> people waiting to abuse me."
>>                -- Bill Murray, "Ghostbusters"
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>>     
>
> pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink)
> therefore the traffic probably never get to the upper layer of the ip stack
> where pf works.
>
> You can do l2 filtering with ipfw if you enable the sysctl variable
> net.link.bridge.ipfw=1. However im not sure if you can do it with pf on
> freebsd. I had a quick scout through the man pages and cant see anything.
> However im fairly sure you can to l2 stuff with pf in openbsd.
>
> As your traffic is multicast you could always configure you bsd box as a
> multicast router rather than bridging the traffic. pf should see the traffic
> then as your working at l3 and above
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list