[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf / bridge question
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: pf / bridge question
- From: Philipp Buehler <OpenBSD_(_at_)_fips_(_dot_)_de>
- Date: Sun, 7 Jul 2002 17:58:52 +0200
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
- Reply-to: Philipp Buehler <OpenBSD_(_at_)_fips_(_dot_)_de>
On 07/07/2002, Christoph Schneeberger <cschnee_(_at_)_box_(_dot_)_telemedia_(_dot_)_ch> wrote To misc_(_at_)_openbsd_(_dot_)_org:
> I have a 4-legged firewall on OpenBSD 3.1, the two interfaces of the
> DMZ/SSN (xl1 & wi0) are bridged and have both ips on the same subnet
> (10.1.10.1 & 10.1.10.2). tl0 is the external interface and xl0 the
> internal. Like:
> I have a host (10.1.10.3) connected to the tl0 interface (SSN wired
> above). If I try to connect to it, i.e. by ssh, the packet reaches this
This is an inconsistent description, you said that tl0 is external
and xl1 is SSN wired. !?
> -Why does the firewall resp. pf send out the packets on wi0 even it
> knows that the machine is on xl1 ?
It's not pf, it's the bridge. Reread bridge(4) (NOTES).
> -How can I avoid it, I would like to have different policies for the
> both SSN/DMZ interfaces xl1 and wi0 ?
You have to keep in mind what bridge(4) is telling you. Yes, it's
somewhat mindboggling. Stick to one bridge interface IF possible,
if not take care about in/out and ip address turnaround.
> Configuration below.
> Sorry if this covered elsewhere, I probably search with the wrong
> keywords on the archives.
Maybe just reading the given documentation first?
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p>
#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?