Re: pf / bridge question

[Philipp Buehler <OpenBSD_(_at_)_fips_(_dot_)_de>]

On 07/07/2002, Christoph Schneeberger <cschnee_(_at_)_box_(_dot_)_telemedia_(_dot_)_ch> wrote To misc_(_at_)_openbsd_(_dot_)_org:
> I have a 4-legged firewall on OpenBSD 3.1, the two interfaces of the
> DMZ/SSN (xl1 & wi0) are bridged and have both ips on the same subnet
> (10.1.10.1 & 10.1.10.2). tl0 is the external interface and xl0 the
> internal. Like:

> I have a host (10.1.10.3) connected to the tl0 interface (SSN wired
> above). If I try to connect to it, i.e. by ssh, the packet reaches this

This is an inconsistent description, you said that tl0 is external
and xl1 is SSN wired. !?

> -Why does the firewall resp. pf send out the packets on wi0 even it
> knows that the machine is on xl1 ?

It's not pf, it's the bridge. Reread bridge(4) (NOTES).

> -How can I avoid it, I would like to have different policies for the
> both SSN/DMZ interfaces xl1 and wi0 ?

You have to keep in mind what bridge(4) is telling you. Yes, it's
somewhat mindboggling. Stick to one bridge interface IF possible,
if not take care about in/out and ip address turnaround.

> Configuration below.
> Sorry if this covered elsewhere, I probably search with the wrong
> keywords on the archives.

Maybe just reading the given documentation first?

ciao
-- 
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> 

#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?