[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Questions on bridge and pf
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Questions on bridge and pf
- From: Heinrich Rebehn <rebehn_(_at_)_ant_(_dot_)_uni-bremen_(_dot_)_de>
- Date: Wed, 30 Jun 2004 15:39:36 +0200
I am running a router/firewall based on OpenBSD and pf(4) for some years
now and it works great - never had any problems.
I want to add MAC filtering now on one interface and i have learned so
far that i have to tag packets based on MAC address using bridge(4), as
pf does not support MAC filtering directly.
I have done some experiments with bridge tagging some packets and pf
filtering on the tags - seems to work.
However, i do not quite understand how and in which order packets are
handled. Obviously a packet enters the system trough a bridge interface
and is then passed on to pf - otherwise tagging would not work. But how
does the packet leave the system? Is is passed back to the bridge, or
does it leave pf directly?
Or, to put it this way: Would
Bridge: pass in on xl0; pass out on xl1
pf: pass in on xl0; pass out on xl1
be neccesary, or would:
Bridge: pass in on xl0
pf: pass out on xl1
be enough to let a packet traverse from xl0 to xl1 ?
I hope you understand my question. I just want to know how bridge and pf
are connected together, is bridge bracketed by pf or the other way round?
FAQ, HowTos, and googling did not help me so far, is there some indepth
documentation available? I simply want to understand what's happening.
Thank you very much for any help,
University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -
Phone : +49/421/218-4664
Fax : -3341
Visit your host, monkey.org