Re: ipfilter won't filter bridged traffic on freebsd
This is a discussion on Re: ipfilter won't filter bridged traffic on freebsd within the IPFilter forums, part of the System Security and Security Related category; Hello Koen, On 09.02.2008, at 21:27, Koen Martens wrote: > http://coombs.anu.edu.au/~avalon/ipfilfaq....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-11-2008
|
|||
|
|||
Re: ipfilter won't filter bridged traffic on freebsd
Hello Koen,
On 09.02.2008, at 21:27, Koen Martens wrote: > http://coombs.anu.edu.au/~avalon/ipfilfaq.html#freebsd1 suggests it > is possible to use ipfilter to filter bridged traffic. > > However, this does not seem to be the case (unless 'recent' means > more recent than 6.2-RELEASE-p10. It sounds like you're using the old-style "BRIDGE" and not if_bridge... If that's indeed the case, the reason why your bridged traffic isn't passed through ipfilter is that ipfw is also loaded (sounds dumb I know, but that's the way it's coded ;). Have a look at / sys/net/bridge.c and search for "XXX: Prevent ipfw from being run twice", and you'll know why this happens. You can find a fix in the m0n0wall repository: http://svn.m0n0.ch/wall/branches/fre...kernel-6.patch (only the sys/net/bridge.c patch needs to be applied) Or you could switch to if_bridge, which seems to be preferred now... but according to its manpage, it has the same issue of running ipfw twice (once directly, and once via pfil). HTH, Manuel 
|
Linear Mode
