Solved: Filtering bridge with pf.
Carsten Sonne Larsen
cs at innolan.dk
Fri Apr 5 13:01:44 UTC 2013
After reading carefully through the man pages of if_bridge, sysctl's are
now:
net.link.bridge.pfil_onlyip=1
net.link.bridge.pfil_member=1
net.link.bridge.pfil_bridge=1
net.link.bridge.pfil_local_phys=1
net.link.bridge.ipfw=0
net.link.bridge.ipfw_arp=0
Statistics with pftop and "pfctl -vs rules" still shows an accumulated
number of states. Also tcpdump still shows a rule range instead of a
fixed rule number, while pftop shows * in the rule column. Nevertheless,
the bridge seems to work as intended.
>
> On 04/04/2013 19:48, wishmaster wrote:
>>
>> What is your sysctl's?
>>
>> Below from my production server with 3 NIC's in bridge. I use
>> filtering only on the bridge0 interface.
>>
>> net.link.bridge.pfil_local_phys: 0
>> net.link.bridge.pfil_member: 0
>> net.link.bridge.pfil_bridge: 1
>> net.link.bridge.pfil_onlyip: 1
>>
More information about the freebsd-pf
mailing list