Re: pf nuttyness
2009/11/25 Vincent Hoffman vi...@unsane.co.uk krad wrote: 2009/11/24 Brian McCann bjmcc...@gmail.com I'm at the end of my rope here with PF. I have a ruleset loaded, that is long and complicated...but I've shortened to to a pass all rule. The box has 4 interfaces, one for pfsync, one for me to connect to it, and two bridged interfaces. The only traffic on the bridged interfaces is STP and IP multicast traffic from my EIGRP routers. When I run pfctl -s rules -v, the EIGRP multicast traffic never hits any rules...yet it's allowed. I'm on FreeBSD 7.1. Has anyone else come across this before? I'm ready to throw out FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since I use FreeBSD for all my other servers, and having 2 OpenBSD boxes would just be... weird... --Brian Have you read the if_bridge(4) manpage? I'd reccommend starting at the heading PACKET FILTERING and checking you have the correct sysctl settings. pf certainly can filter bridge interfaces according to the manpage. That said I've never tried it. Vince -- _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ Brian McCann I don't have to take this abuse from you -- I've got hundreds of people waiting to abuse me. -- Bill Murray, Ghostbusters ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink) therefore the traffic probably never get to the upper layer of the ip stack where pf works. You can do l2 filtering with ipfw if you enable the sysctl variable net.link.bridge.ipfw=1. However im not sure if you can do it with pf on freebsd. I had a quick scout through the man pages and cant see anything. However im fairly sure you can to l2 stuff with pf in openbsd. As your traffic is multicast you could always configure you bsd box as a multicast router rather than bridging the traffic. pf should see the traffic then as your working at l3 and above ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org i think this is the one you want echo net.link.bridge.pfil_bridge=1 /etc/sysctl.conf /etc/rc.d/sysctl restart ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf nuttyness
2009/11/24 Brian McCann bjmcc...@gmail.com I'm at the end of my rope here with PF. I have a ruleset loaded, that is long and complicated...but I've shortened to to a pass all rule. The box has 4 interfaces, one for pfsync, one for me to connect to it, and two bridged interfaces. The only traffic on the bridged interfaces is STP and IP multicast traffic from my EIGRP routers. When I run pfctl -s rules -v, the EIGRP multicast traffic never hits any rules...yet it's allowed. I'm on FreeBSD 7.1. Has anyone else come across this before? I'm ready to throw out FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since I use FreeBSD for all my other servers, and having 2 OpenBSD boxes would just be... weird... --Brian -- _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ Brian McCann I don't have to take this abuse from you -- I've got hundreds of people waiting to abuse me. -- Bill Murray, Ghostbusters ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink) therefore the traffic probably never get to the upper layer of the ip stack where pf works. You can do l2 filtering with ipfw if you enable the sysctl variable net.link.bridge.ipfw=1. However im not sure if you can do it with pf on freebsd. I had a quick scout through the man pages and cant see anything. However im fairly sure you can to l2 stuff with pf in openbsd. As your traffic is multicast you could always configure you bsd box as a multicast router rather than bridging the traffic. pf should see the traffic then as your working at l3 and above ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf nuttyness
krad wrote: 2009/11/24 Brian McCann bjmcc...@gmail.com I'm at the end of my rope here with PF. I have a ruleset loaded, that is long and complicated...but I've shortened to to a pass all rule. The box has 4 interfaces, one for pfsync, one for me to connect to it, and two bridged interfaces. The only traffic on the bridged interfaces is STP and IP multicast traffic from my EIGRP routers. When I run pfctl -s rules -v, the EIGRP multicast traffic never hits any rules...yet it's allowed. I'm on FreeBSD 7.1. Has anyone else come across this before? I'm ready to throw out FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since I use FreeBSD for all my other servers, and having 2 OpenBSD boxes would just be... weird... --Brian Have you read the if_bridge(4) manpage? I'd reccommend starting at the heading PACKET FILTERING and checking you have the correct sysctl settings. pf certainly can filter bridge interfaces according to the manpage. That said I've never tried it. Vince -- _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ Brian McCann I don't have to take this abuse from you -- I've got hundreds of people waiting to abuse me. -- Bill Murray, Ghostbusters ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink) therefore the traffic probably never get to the upper layer of the ip stack where pf works. You can do l2 filtering with ipfw if you enable the sysctl variable net.link.bridge.ipfw=1. However im not sure if you can do it with pf on freebsd. I had a quick scout through the man pages and cant see anything. However im fairly sure you can to l2 stuff with pf in openbsd. As your traffic is multicast you could always configure you bsd box as a multicast router rather than bridging the traffic. pf should see the traffic then as your working at l3 and above ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: pf nuttyness
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Brian McCann Sent: Tuesday, November 24, 2009 3:03 PM To: freebsd-questions Subject: pf nuttyness I'm at the end of my rope here with PF. I have a ruleset loaded, that is long and complicated...but I've shortened to to a pass all rule. The box has 4 interfaces, one for pfsync, one for me to connect to it, and two bridged interfaces. The only traffic on the bridged interfaces is STP and IP multicast traffic from my EIGRP routers. When I run pfctl -s rules -v, the EIGRP multicast traffic never hits any rules...yet it's allowed. I'm on FreeBSD 7.1. Has anyone else come across this before? I'm ready to throw out FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since I use FreeBSD for all my other servers, and having 2 OpenBSD boxes would just be... weird... --Brian For troubleshooting, try this: Block in all log (remove all other log statements) tcpdump -n -e -ttt -i pflog0 That's provided you set up a pflog0 interface. If not, add this to rc.conf pflog_enable=YES pflog_logfile=/var/log/pflog and 'ifconfig pflog0 up' Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf nuttyness
I'm at the end of my rope here with PF. I have a ruleset loaded, that is long and complicated...but I've shortened to to a pass all rule. The box has 4 interfaces, one for pfsync, one for me to connect to it, and two bridged interfaces. The only traffic on the bridged interfaces is STP and IP multicast traffic from my EIGRP routers. When I run pfctl -s rules -v, the EIGRP multicast traffic never hits any rules...yet it's allowed. I'm on FreeBSD 7.1. Has anyone else come across this before? I'm ready to throw out FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since I use FreeBSD for all my other servers, and having 2 OpenBSD boxes would just be... weird... --Brian -- _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ Brian McCann I don't have to take this abuse from you -- I've got hundreds of people waiting to abuse me. -- Bill Murray, Ghostbusters ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
