pf nuttyness

krad kraduk at googlemail.com
Thu Nov 26 08:54:34 UTC 2009 

2009/11/25 Vincent Hoffman <vince at unsane.co.uk>

> krad wrote:
> > 2009/11/24 Brian McCann <bjmccann at gmail.com>
> >
> >
> >> I'm at the end of my rope here with PF.  I have a ruleset loaded, that
> >> is long and complicated...but I've shortened to to a "pass all" rule.
> >> The box has 4 interfaces, one for pfsync, one for me to connect to it,
> >> and two bridged interfaces.  The only traffic on the bridged
> >> interfaces is STP and IP multicast traffic from my EIGRP routers.
> >> When I run "pfctl -s rules -v", the EIGRP multicast traffic never hits
> >> any rules...yet it's allowed.
> >>
> >> I'm on FreeBSD 7.1.
> >>
> >> Has anyone else come across this before?  I'm ready to throw out
> >> FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since
> >> I use FreeBSD for all my other servers, and having 2 OpenBSD boxes
> >> would just be... weird...
> >>
> >> --Brian
> >>
>
> Have you read the if_bridge(4) manpage? I'd reccommend starting at the
> heading "PACKET FILTERING" and checking you have the correct sysctl
> settings.
> pf certainly can filter bridge interfaces according to the manpage. That
> said I've never tried it.
>
>
> Vince
> >> --
> >> _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_
> >> Brian McCann
> >>
> >> "I don't have to take this abuse from you -- I've got hundreds of
> >> people waiting to abuse me."
> >>                -- Bill Murray, "Ghostbusters"
> >> _______________________________________________
> >> freebsd-questions at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >> To unsubscribe, send any mail to "
> >> freebsd-questions-unsubscribe at freebsd.org"
> >>
> >>
> >
> > pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink)
> > therefore the traffic probably never get to the upper layer of the ip
> stack
> > where pf works.
> >
> > You can do l2 filtering with ipfw if you enable the sysctl variable
> > net.link.bridge.ipfw=1. However im not sure if you can do it with pf on
> > freebsd. I had a quick scout through the man pages and cant see anything.
> > However im fairly sure you can to l2 stuff with pf in openbsd.
> >
> > As your traffic is multicast you could always configure you bsd box as a
> > multicast router rather than bridging the traffic. pf should see the
> traffic
> > then as your working at l3 and above
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
> >
>
>
i think this is the one you want

echo net.link.bridge.pfil_bridge=1 >> /etc/sysctl.conf
/etc/rc.d/sysctl restart

More information about the freebsd-questions mailing list