Re: pf and statesfull filtering on a bridge

["Brian Hunt" <bhunt@visionmd.com>]

Just a heads up:

'keep state' will overrule 'flags /SA'; you don't need/want both.  Just use
'keep state'
ie. (and replace 'from any to any' with 'all')

    pass in on qe1 proto tcp from any to any flags S/SA keep state
becomes
    pass in on qe1 proto tcp all keep state

(when specifying ports you have to use 'from any to any port=x' or 'from any
port=x to any' or what have you)
Brian

----- Original Message -----
From: "Albert Rybalkin" <albertr@forbes.net>
To: <tech@openbsd.org>
Cc: <albertr@forbes.net>
Sent: Wednesday, October 03, 2001 4:25 PM
Subject: pf and statesfull filtering on a bridge


> Hi!
>
> Can somebody involved with pf project shed some light
> on filtering on an ethernet bridge?
>
> I have a simple bridge between two interfaces - qe0 (external)
> and qe1 (internal). My pf.conf looks pretty much like a
> sample from pf.conf(8):
>
> ...
> # from inside
> pass in on qe1 proto udp from any to any  keep state
> pass in on qe1 proto tcp from any to any flags S/SA keep state
>
> # from outside
> pass in on qe0 proto tcp from any to any port = 25 flags S/SA keep state
> pass in on qe0 proto tcp from any to any port = 80 flags S/SA keep state
> ...
>
> `pfctl -s all` shows that states get established, but no
> packets are passed based on current states. It seems like
> pf doesn't assume that qe0 and qe1 are parts of the same
> bridge and treats them as separate interfaces? Is it the case
> or am I missing something? What could be the *proper* way
> to use statesfull filtering with pf on a bridge?
>
> TIA,
> -albertr