pf + bridge

Philippe PEGON Philippe.Pegon at crc.u-strasbg.fr
Thu Apr 21 15:04:10 PDT 2005 

Ryan Stark a écrit :
> On Tue, 19 Apr 2005 00:02:37 +0200
> Guy Brand <gb at isis.u-strasbg.fr> wrote:
> 
> 
>>On 11 April at 13:20, Sergey Lyubka wrote:
>>
>>
>>>I am trying to build a transparent filtering box.
>>>Box is running freebsd 5.4, pf and bridge, this is
>>>the setup:
>>
>>  FreeBSD has no support for pf in its bridge code. Neither has it
>>  IPv6 support.
>>
> 
> I have been using using FreeBSD & pf as a transparent bridge since 5.2.
> (Before that, I was using OpenBSD & pf)
> 
> Mine looks something like this:
> 
> in
>   |
>   | fxp0, 0.0.0.0
>  -----
> |     |
> |     |--- fxp1, (internal admin interface)
> |     |
>  -----
>   |
>   | fxp1, 0.0.0.0
> 
> cat /etc/sysctl.conf
> 
> #bridging enable for fxp0,fxp1
> net.link.ether.bridge.config=fxp0:0,fxp1:0
> net.link.ether.bridge.enable=1
> 
> cat rc.conf
> 
> pflog_enable="YES"    
> # Set to YES to enable packet filter logging
> 
> pf_rules="/etc/host.pf.conf"  
> # rules definition file for pf. different than default. mergemaster
> # likes to clobber default
> 
> pflog_enable="YES"    
> # Set to YES to enable packet filter logging
> 
> 
> 
> ifconfig
> 
> fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
> 1500 options=48<VLAN_MTU,POLLING>
>         ether 00:90:27:59:03:71
>         media: Ethernet autoselect (10baseT/UTP)
>         status: active
> fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
> 1500 options=48<VLAN_MTU,POLLING>
>         ether 00:a0:c9:d8:8f:b1
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> 
> slightly dated, but fully functional <scrubbed> ruleset can be found
> here:
> 
> http://www.io.com/sirius/pf.conf-3.3.example
> 
> Hope that might clear up any confusion.

It seems that according to an old thread (see below) that pfil hook for outbound packets is absent. 
Are you sure that your "pass out" rule are evaluated ? Under these conditions, pf can't run 
correctly in bridge mode.

http://lists.freebsd.org/pipermail/freebsd-pf/2004-December/thread.html#621

> 
> With regards to Sergey's original question; I have not
> played with the web proxy on the bridge, however I have used the
> ftp proxy module on my NAT- gateway machine with no problems. Maybe
> using there would work better?

--
Philippe PEGON

More information about the freebsd-pf mailing list