ipfw and bridging [was: pf and bridging]
Ian Smith
smithi at nimnet.asn.au
Fri Dec 3 23:43:29 PST 2004
On Fri, 3 Dec 2004, Max Laier wrote:
> On Thursday 02 December 2004 19:45, Petr Holub wrote:
> > Hi all,
> >
> > I wonder if it is possible to use the new pf firewall together with
> > bridging as it is possible to use it with ipf and ipfw.
>
> Unfortunately the PFIL_HOOKS in bridge.c don't work too well for pf (or ipf
> for the same reason) thus you cannot use stateful filtering. There is an
> ongoing discussion on freebsd-pf@ that talks about the details:
> http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000621.html
> http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000625.html
> http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/000631.html
Read those ones for interest, but it leaves me wondering: can you use
stateful filtering in ipfw, then? (here ipfw1 on a 4.8-RELEASE box with
BRIDGE in kernel so far, but I imagine this would apply also to ipfw2?)
I'm aware that one can only filter incoming packets, so I've always
wondered whether stateful rules made any sense in a bridge context?
(showing off my complete ignorance of the ipfw stateful code)
Cheers, Ian
More information about the freebsd-net
mailing list