Protecting bridge interface via external interface and IPFW
Korodev
korodev at gmail.com
Tue Nov 8 16:24:40 UTC 2011
I'm currently running a typical bridge setup on 8.2 with if_bridge and
ipfw (tunings below) and I've set up a libpcap tool to monitor packets
traversing bridge interface. I've got some traffic that I don't want
the tool to see, so I've firewalled it off using ipfw. However, it
appears that no matter how I tune my sysctl knobs, the bridge
interface will always see the packet regardless if it's blocked or not
by the ipfw at the external physical interface. I have played with
pfil_member, and seen no changes in this activity.
Are there any modifications, whether it be patches, sysctl tunings, or
virtual interface trickery to allow IPFW to act as a "shield" to my
libpcap program?
Here are my sysctl tunings:
net.link.bridge.ipfw: 1
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.pfil_bridge: 0
Edit: It looks like I have the exact same question as this individual
that was never answered on the forums:
http://forums.freebsd.org/showthread.php?t=24372
\\korodev
More information about the freebsd-ipfw
mailing list