>generally with a filtering bridge, you would want to pass all traffic
>on one of the interfaces ('set skip on XX' or a 'pass on XX' rule), and
>just make rules apply to the other interface. Whether or not this is
>what you're doing, isn't clear from your message.
>
Thanks. Determinable from this data? It seems like "set skip"
should be like "quick", that filtering applies only to vge0.
---------------------------------------------------------
# brconfig -a
bridge0: flags=41<UP,RUNNING>
Configuration:
priority 32768 hellotime 2 fwddelay 15 maxage 20
Interfaces:
vge0 flags=3<LEARNING,DISCOVER>
port 1 ifpriority 128 ifcost 55
dc0 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 128 ifcost 55
Addresses (max cache: 100, timeout: 240)
----------------------------------------------------------
# netstat -rn -finet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 70.84.X.1 UGS 0 5 - dc0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 1 0 33224 lo0
70.84.X.0/25 link#2 UC 3 0 - dc0
70.84.x.1 0:17:61:31:2b:a0 UHLc 1 0 - dc0
70.84.X.15 0:c0:a5:43:c:c5 UHLc 1 46 - dc0
224/4 127.0.0.1 URS 0 0 33224 lo0
-------------------------------------------------------------
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1348
enc0: flags=0<> mtu 1536
vge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (100baseTX full-duplex)
status: active
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 70.84.x.16 netmask 0xffffff80 broadcast 70.84.x.127
bridge0: flags=41<UP,RUNNING> mtu 1500
groups: bridge
---------------------------------------------------------------
pf.conf
ext_if = "vge0"
int_if = "dc0"
icmp_types = "echoreq"
table <ntp> { 152.2.21.1 128.2.136.71 }
table <dns> { 192.107.x.34 192.107.x.21 }
table <this> { 70.84.x.15 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set skip on { lo $int_if }
scrub in
block in on $ext_if
block out on $ext_if
antispoof quick for { lo $int_if }
pass in quick on $ext_if inet proto { udp tcp } \
from <dns> to <this> keep state
pass in quick on $ext_if inet proto udp \
from <ntp> to <this> port { 123 } keep state
pass in on $ext_if inet proto icmp all \
icmp-type $icmp_types keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
--------------------------------------------
Darrel
