Re: pf for netgraph jails?

<div>+ kp@</div><div> </div><div><div>A very interesting question.</div><div> </div><div>I think that's because, ng_ether(4) intercepts L2 traffic before it hits the firewall.</div><div> </div><div>pf(4) can intercept L2 traffic, but I'm not sure that it can then filter it by L3/L4.<br /><br />https://reviews.freebsd.org/D31737</div><div> </div><div>Maybe kp@ will clarify this issue?</div></div><div> </div><div>31.10.2024, 18:32, "Palle Girgensohn" &lt;girgen@freebsd.org&gt;:</div><div> <div> <div><br /> 16 okt. 2024 kl. 18:17 skrev Patrick M. Hausen &lt;hausen@punkt.de&gt;:<br /> <br /> Hi!<br /> <br /> Am 16.10.2024 um 16:19 schrieb Palle Girgensohn &lt;girgen@FreeBSD.org&gt;:<br /> [...]<br /> but nothing happens, everything is passed directly into the jail:<br /> <br /> nc -l 4444 (inside the jail)<br /> <br /> and I can just telnet 1.2.3.4 4444 <br /> Try:<br /> <br /> sysctl net.link.bridge.pfil_member=0<br /> sysctl net.link.bridge.pfil_bridge=1<br /> <br /> Although I do not know if this ablies to netgraph or to if_bridge(4) only.<br /> <br /> But obviously your rules are not applied to the bridge interface. The default<br /> of the tunables above is the other way round - don't filter on bridge interfaces.<br /> <br /> HTH,<br /> Patrick<br /><br />Hallo Patrick,<br /><br />Thanks for the reply. It seems that these MIBs are related to if_bridge, not ng_bridge? I didn't have them at first, men after kldload if_bridge they appeared. They make no difference, though, so perhaps they do not relate to netgraph bridges?<br /><br />Any idea what tuneables would do the job?<br /><br />Thanks,<br /><br />Palle</div></div></div>