Re: ipfilter won't filter bridged traffic on freebsd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Manuel,

On Sat, Feb 09, 2008 at 10:02:23PM +0100, Manuel Kasper wrote:
> On 09.02.2008, at 21:27, Koen Martens wrote:
>> http://coombs.anu.edu.au/~avalon/ipfilfaq.html#freebsd1 suggests it is
>> possible to use ipfilter to filter bridged traffic.
>>
>> However, this does not seem to be the case (unless 'recent' means more
>> recent than 6.2-RELEASE-p10.
>
> It sounds like you're using the old-style "BRIDGE" and not if_bridge... If
> that's indeed the case, the reason why your bridged traffic isn't passed
> through ipfilter is that ipfw is also loaded (sounds dumb I know, but
> that's the way it's coded ;). Have a look at /sys/net/bridge.c and search
> for "XXX: Prevent ipfw from being run twice", and you'll know why this
> happens.

Thanks, i'll be sure to check that out.

> You can find a fix in the m0n0wall repository:
>
> http://svn.m0n0.ch/wall/branches/fre...kernel-6.patch
> (only the sys/net/bridge.c patch needs to be applied)
>
> Or you could switch to if_bridge, which seems to be preferred now... but
> according to its manpage, it has the same issue of running ipfw twice (once
> directly, and once via pfil).

Yes, i think we should switch to if_bridge sooner or later. This is a system (or rather, systems) i've recently acquired to maintain, so i will have to move slowly here.

Thanks again!

I still do think the FAQ needs updating though, if necessary i'd be happy to write the updated text.

Gr,

Koen

- --
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, hosting, embedded systems, unix, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHsJQQktDgRrkFPpYRAmNaAKCEdc9GIcdrtRc0bIaKuX o2aSCmJwCgocWx
WKD+bfJ2o2Fi5Tr2Qofqx+w=
=9nRa
-----END PGP SIGNATURE-----