On Tue, May 10, 2011 at 06:45:08PM +0200, Nicolas GRENECHE wrote: > Regarding tcpdump, packets seems to go through the interface. Why does > pf doesn't see them ?
The destination MAC addresses of the ethernet frames do not match the firewall's. By putting the interfaces into promiscuous mode, the frames are copied to BPF readers (like tcpdump), but the host then ignores the frame. Since the host is neither the recipient nor bridging, there is no reason to pf filter the packet, as the frame will be dropped anyway. I guess you could add the interfaces to bridges or some such construct, to get pf filtering involved. It depends on WHY you want pf to filter something you don't want to forward, i.e. what would be the purpose of the packet showing up on pflog. Daniel _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
