--- Trevor Talbot <[EMAIL PROTECTED]> schrieb: > On Thursday, Sep 11, 2003, at 16:40 US/Pacific, Torsten wrote: > > > i have problems with pf on a openbsd 3.3-stable ethernet bridge. > > my setup: > > > > (lan_A)-----( if_A: noIP )-|bridge|-( if_B: ip_B )----(lan_B) > > > IP datagram from (lan_A) to ip_B > > First appearance of the ip datagram within pf is: IN if_B (!) > > > > IP comes in a ethernet frame with dst mac for if_A and can only arrive > > on if_A due cabling. > > Why would the destination MAC be for if_A? Normal ARP should respond > with if_B's MAC over the bridge.
Sorry, i made a typo there. The dst MAC is the MAC of if_B > > > Inside pf i can't decide if the ip datagram has arrived on if_A or if_B > > > it would be great if i can write pf rules depending on the interface > > the ip datagrams arrive as mac and ip adresses are spoofable ;) > > The bridge causes an internal transit to the interface matching the > destination MAC address prior to filtering and upper-layer processing. > I don't know of a way around this. Exactly that is what freaks me out a little bit. Following is tcpdump for bridge0, pflog0 (pass log-all quick inet proto icmp all) and interface FXP1 when doing a PING from 192.168.0.100 to 192.168.0.11 [192.168.0.100]--(lan_A)---([FXP1:no_IP]--bridge--[FXP0:192.168.0.11])----(lan_B) FXP0: address: 00:90:27:12:bb:11 FXP1: address: 00:90:27:1c:8b:a2 [fxp1] 15:09:18.854984 0:10:dc:f:ae:ea ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.0.11 tell 192.168.0.100 [fxp1] 15:09:18.855117 0:90:27:12:bb:11 0:10:dc:f:ae:ea 0806 60: arp reply 192.168.0.11 is-at 0:90:27:12:bb:11 [bridge0]15:09:18.855133 0:10:dc:f:ae:ea ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.0.11 tell 192.168.0.100 [fxp1] 15:09:18.855222 0:10:dc:f:ae:ea 0:90:27:12:bb:11 0800 74: 192.168.0.100 > 192.168.0.11: icmp: echo request (id:2 seq:2) (ttl 128, id 5) [pflog0] 15:09:18.855301 rule 0/0(match): pass in on fxp0: 192.168.0.100 > 192.168.0.11: icmp: echo request (id:2 seq:2) (ttl 128, id 30640, bad cksum b8fc!) [pflog0] 15:09:18.855371 rule 0/0(match): pass out on fxp0: 192.168.0.11 > 192.168.0.100: icmp: echo reply (id:2 seq:2) (ttl 255, id 55848) [fxp1] 15:09:18.855407 0:90:27:12:bb:11 0:10:dc:f:ae:ea 0800 74: 192.168.0.11 > 192.168.0.100: icmp: echo reply (id:2 seq:2) (ttl 255, id 55848) Why is there no way for gettin the physical interface the packet comes in? this is the *only* thing that ain't spoofable.. i would love to filter that in the pf :) thank you for the reply erpel23 __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Logos und Klingelt�ne f�rs Handy bei http://sms.yahoo.de
