packet filter problem on transparent firewall using bridge and pf
I have some trouble with pf on freebsd bridge.
Network topology:
( untrust ) -- { em0 , bridge0 , em1 } -- ( trust )
Bridge Network: 10.1.1.0/24
bridge0 IP: 10.1.1.1 ( freebsd's ip )
default gw: 10.1.1.254 ( in untrust area )
server: 10.1.1.101 ~ 200 ( in trust area )
pf.conf on freebsd
serv1=10.1.1.101
client1=10.1.6.73
block in all
block out all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on bridge0 from 10.1.1.0/24 to any
pass out quick on bridge0 from 10.1.1.0/24 to any
pass in quick on bridge0 from $client1 to 10.1.1.1
pass in quick on bridge0 from $client1 to $serv1
When I turn on the pf, I test some connection status.
1. client1 cannot connect to serv1.
2. gw cannot connect to serv1
3. client1 connect to freebsd ( 10.1.1.1 ) successfully
4. gw connect to freebsd ( 10.1.1.1 ) successfully
If I turn off the pf, all conneciton test are success.
What's wrong with the pf rules?
The following is some description of the bridge topology.
Freebsd and server are vmware guest in the vmware ESXi.
The ESXi has two virtual switchs,
vSw1: connect to untrust
vSw2: interconnect with freebsd and servers
freebsd has tow vNICs,
em0: connect to vSw1
em1: connect to vSw2.
servers has only one vNIC,
em0: connect to vSw2
freebsd's rc.conf
cloned_interfaces=bridge0
ifconfig_bridge0=inet 10.1.1.1 netmask 255.255.255.0 addm em0 addm em1 up
ifconfig_em0=up
ifconfig_em1=up
pf_enable=YES
pf_rules=/etc/pf.conf
freebsd's sysctl
net.link.bridge.ipfw: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Bridge with PF
Hello, after doing kldload -v bridge, I can see that I have it: kldstat Id Refs AddressSize Name 16 0xc040 2cf3dc kernel 2 14 0xc06d 54974acpi.ko 31 0xc125b000 3000 daemon_saver.ko 41 0xc152a000 7000 bridge.ko then if I do: sysctl -a | grep net.link.ether.bridge I get: sysctl -a | grep net.link.ether.bridge net.link.ether.bridge.version: 031224 net.link.ether.bridge.debug: 0 net.link.ether.bridge.ipf: 0 net.link.ether.bridge.ipfw: 0 net.link.ether.bridge.copy: 0 net.link.ether.bridge.ipfw_drop: 0 net.link.ether.bridge.ipfw_collisions: 0 net.link.ether.bridge.packets: 0 net.link.ether.bridge.dropped: 0 net.link.ether.bridge.predict: 0 net.link.ether.bridge.enable: 0 net.link.ether.bridge.config: net.link.ether.bridge_ipf: 0 net.link.ether.bridge_ipfw: 0 net.link.ether.bridge_cfg: Where is the mention of bridge with pf ? Or am I misunderstanding who bridge is supposed to work with pf ? I do have PF compiled into the kernel, it currently is doing NAT with packet filtering. Running 5.3. Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bridge with PF
it was said: Hello, after doing kldload -v bridge, I can see that I have it: snip Where is the mention of bridge with pf ? Or am I misunderstanding who bridge is supposed to work with pf ? I do have PF compiled into the kernel, it currently is doing NAT with packet filtering. Running 5.3. Hello, Bridge(4) doesn't work very well with pf. Check the pf list archives for the exact details. You may want to explain what you're trying to accomplish on that list as sometimes a work-around is possible. Regards, stheg __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
