[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf and statesfull filtering on a bridge

To: tech@openbsd.org
Subject: pf and statesfull filtering on a bridge
From: "Albert Rybalkin" <albertr@forbes.net>
Date: Wed, 03 Oct 2001 19:25:25 GMT
Cc: albertr@forbes.net

Hi! 

Can somebody involved with pf project shed some light
on filtering on an ethernet bridge?

I have a simple bridge between two interfaces - qe0 (external)
and qe1 (internal). My pf.conf looks pretty much like a
sample from pf.conf(8):

...
# from inside
pass in on qe1 proto udp from any to any  keep state
pass in on qe1 proto tcp from any to any flags S/SA keep state

# from outside
pass in on qe0 proto tcp from any to any port = 25 flags S/SA keep state
pass in on qe0 proto tcp from any to any port = 80 flags S/SA keep state
...

`pfctl -s all` shows that states get established, but no
packets are passed based on current states. It seems like
pf doesn't assume that qe0 and qe1 are parts of the same
bridge and treats them as separate interfaces? Is it the case
or am I missing something? What could be the *proper* way
to use statesfull filtering with pf on a bridge?

TIA,
-albertr

Follow-Ups:
- Re: pf and statesfull filtering on a bridge
  - From: "Brian Hunt" <bhunt@visionmd.com>
- Re: pf and statesfull filtering on a bridge
  - From: Daniel Hartmeier <daniel@benzedrine.cx>

Prev by Date: Re: isakmpd+IPv6
Next by Date: microtime latency
Prev by thread: Re: How current is my source tree?
Next by thread: Re: pf and statesfull filtering on a bridge
Index(es):
- Date
- Thread