Hi Daniel, list,
I Don't want to sound stupid here but I have a problem with a
bridge and -current. I realize current is for testing but I wanted help
test q0s that is in pf now - at work to help contribute what I can (we are
a ISP).
OpenBSD 3.2-current (GENERIC) #20: Sun Dec 1 22:46:07 MST 2002
I have 3 interfaces one xl0 and 2 rl(0&1) I have configured rl0
and rl1 in a bridge
coldiso@venom:[~] 12:03:25 -> cat /etc/testbridge.bridge0
add rl0
add rl1
up
and traffic is crossing the bridge as I can see with tcpdump output.
bridge0: flags=41<UP,RUNNING> mtu 1500
venom# tcpdump -netttvvi rl1
tcpdump: WARNING: rl1: no IPv4 address assigned
tcpdump: listening on rl1
Dec 02 12:07:44.025608 0:10:4b:30:36:36 0:50:bf:39:3d:d6 0800 114: 192.168.1.192.17896
> 192.168.1.191.22: P 2599562820:2599562868(48) ack 3674499332 win 17376
<nop,nop,timestamp 401233087 157964272> (DF) [tos 0x10] (ttl 64, id 63415)
Dec 02 12:07:44.025699 0:10:4b:30:36:36 0:50:bf:39:3d:d6 0800 114: 192.168.1.192.17896
> 192.168.1.191.22: P 48:96(48) ack 1 win 17376 <nop,nop,timestamp 401233087
157964272> (DF) [tos 0x10] (ttl 64, id 54563)
Dec 02 12:07:44.025773 0:10:4b:30:36:36 0:50:bf:39:3d:d6 0800 114: 192.168.1.192.17896
> 192.168.1.191.22: P 96:144(48) ack 1 win 17376 <nop,nop,timestamp 401233087
157964272> (DF) [tos 0x10] (ttl 64, id 38259)
venom# tcpdump -netttvvi rl0
tcpdump: WARNING: rl0: no IPv4 address assigned
tcpdump: listening on rl0
Dec 02 12:08:17.104741 0:c0:f0:4c:6a:3e 0:10:4b:30:36:36 0806 60: arp reply
192.168.1.1 is-at 0:c0:f0:4c:6a:3e
Dec 02 12:08:17.104852 0:10:4b:30:36:36 0:c0:f0:4c:6a:3e 0800 98: 192.168.1.192 >
209.143.0.10: icmp: echo request (id:31825 seq:0) (ttl 255, id 38307)
Dec 02 12:08:17.230751 0:c0:f0:4c:6a:3e 0:10:4b:30:36:36 0800 98: 209.143.0.10 >
192.168.1.192: icmp: echo reply (id:31825 seq:0) (ttl 235, id 35793)
What I can't get to work is pf on the bridge interfaces
venom# pfctl -vsr
@0 pass in log-all on rl0 all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
]
@1 pass out log-all on rl0 all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
]
@2 pass in log-all on rl1 all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
]
@3 pass out log-all on rl1 all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
]
I have a really simple rule set just to log packets that cross it for now
venom# pfctl -s rules
@0 pass in log-all on rl0 all
@1 pass out log-all on rl0 all
@2 pass in log-all on rl1 all
@3 pass out log-all on rl1 all
but as you can see from the pfctl -vsr nothing is being evaluated.
I have enabled this:
pf=YES # Packet filter / NAT
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
I did this
venom# pfctl -e
pf enabled
altq enabled
and then I started to gather information from the log to /var/log/pflog.
My question is did i miss something to turn this on so that the system
would enable pf by default. I thought that was the point of pf=YES #
Packet filter / NAT in the rc.conf
please correct me where I am wrong in my configuration.
Thanks
Jason Houx.
