Possible bug in PF with if_bridge

Hideki Yamamoto yamamoto436 at oki.com
Sat Dec 17 07:20:22 PST 2005 

Hi, 

I am also struggling with pf with if_bridge for RTP on ipv6.
I have found a pointer of pf+bridge by searching google.  That is 
http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000762.html.
I have not tried it yet.  I hope you will respond your result to share
the experience.

Best regards,

Hideki Yamamoto

From: Andrew Thompson <thompsa at freebsd.org>
Subject: Re: Possible bug in PF with if_bridge
Date: Wed, 14 Dec 2005 08:56:24 +1300
Message-ID: <20051213195624.GA5248 at heff.fud.org.nz>

> On Tue, Dec 13, 2005 at 06:07:46PM +0100, Michiel Kranenburg wrote:
> > Hello all,
> > 
> > 
> > I may have found a bug in PF (in combination with if_bridge) for
> > FreeBSD6.0-RELEASE.
> > 
> > 
> > The weird thing occurs when using PF to filter the bridge.
> > Let me post my pf.conf first: (I did not post the declaration of variables
> > on top of the conf) 
> > 
> > ---------------------------------------------
> > scrub in all
> > 
> > block in log on bridge0 from any to $mynet
> > block return-rst in log on bridge0 proto tcp from any to $mynet
> > 
> > pass in on bridge0 proto {tcp,udp,icmp} from $mynet to $mynet keep state
> > pass out on bridge0 proto {tcp,udp} from $mynet to any keep state
> > 
> > pass on lo0 all
> [...]
> > 
> > Now comes the strange part:
> > 
> > Behind $web and $mail are running SSH-servers. As defined by the rules, I
> > don't want to allow any connection from the outside to the SSH-servers.
> > BUT, some hosts/ip-addresses can _still_ connect to the SSH-servers(!), and
> > some _dont_ (as it supposed to be).
> 
> You should probably be filtering on the member interfaces rather than
> bridge0 if you are doing keep-state.
> 
> bridge0 has no direction so packets travelling in one direction look the
> same a the reverse path, this may be tripping up with stateful rules.
> 
> Can you try changing your pf rules to filter on xl1 and xl2 and see if
> you get the same behaviour.
> 
> 
> p.s 6.0-RELEASE has a mbuf leak with if_bridge(4)+pfil(9), you may want
> to go to RELENG_6
> 
> 
> cheers,
> Andrew
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list