Re: pf for netgraph jails?

Reply: Palle Girgensohn : "Re: pf for netgraph jails?"
In reply to: Palle Girgensohn : "pf for netgraph jails?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Patrick M. Hausen <hausen_at_punkt.de>
Date: Wed, 16 Oct 2024 16:17:22 UTC

Hi!

> Am 16.10.2024 um 16:19 schrieb Palle Girgensohn <girgen@FreeBSD.org>:
> [...]
> but nothing happens, everything is passed directly into the jail:
> 
> nc -l 4444   (inside the jail)
> 
> and I can just telnet 1.2.3.4 4444

Try:

sysctl net.link.bridge.pfil_member=0
sysctl net.link.bridge.pfil_bridge=1

Although I do not know if this ablies to netgraph or to if_bridge(4) only.

But obviously your rules are not applied to the bridge interface. The default
of the tunables above is the other way round - don't filter on bridge interfaces.

HTH,
Patrick
-- 
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Sophienstr. 187
76185 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
info@punkt.de

AG Mannheim 108285
Geschäftsführer: Daniel Lienert, Fabian Stein