2008/5/23 Almir Karic <[EMAIL PROTECTED]>:
> On Fri, May 23, 2008 at 1:37 PM, Stephan Andreas <[EMAIL PROTECTED]> wrote:
>> Default is block in and out on $ext_if.
>> Is it a problem with the bridge?
>
> yes, bridges tend to do funny things. in any case add 'log' to your
> default block rule and check ''tcpdump -n -e -ttt -i pflog0'' (i read
> it in the official docs BTW) and it should tell you on which interface
> and which way (in or out) the packet was blocked.
>
> i have my external interface and the DMZ interface in the bridge, i'm
> passing all traffic on dmz interface and do filtering only on external
> interface.
>
>
> HTH
Indeed.
Bridged packets are evaluated *twice* against pf.conf. From man bridge(4):
NOTES
Bridged packets pass through pf(4) filters once as input on the receiving
interface and once as output on all interfaces on which they are forward-
ed. In order to pass through the bridge packets must pass any in rules
on the input and any out rules on the output interface. Packets may be
blocked either entering or leaving the bridge.
> --
> For far too long, power has been concentrated in the hands of "root"
> and his "wheel" oligarchy. We have instituted a dictatorship of the
> users. All system administration functions will be handled by the
> People's Committee for Democratically Organizing the System (PC-DOS).
Heh. :D :)
