I have a similar setup and I add each of the interfaces to a bridge group in their hostname.if(5) files then I do my filtering on that group in pf.conf.
-Nick -----Original Message----- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Christiano F. Haesbaert Sent: Thursday, March 03, 2011 7:48 AM To: OpenBSD Questions Subject: Clarifications on bridge and pf Hi there, Yesterday I tossed my switch in the bin and got a sun quad fast ethernet to do it's job. What I have is a bridged setup with an ip in hme1... I have now something like this: ext_if = hme0 bridge0 = { hme1, hme2, hme3, hme4 } hme1 has ip 192.168.8.1 My concern is, how is pf semantics regarding traffic on the bridge ? Should I match packets on bridge0 or on all of the hme ? I've noticed the following, with rules like this: block pass on hme1 pass on bridge0 I could not get traffic from hosts in hme2 to hme3 for example. Although the 'pass on bridge0 allowed multicast to travel through bridge. Eventually I did something like "pass on { hme1 hme2 hme3 hme4 }" So it seems multicast matches bridge0, while normal unicast traffic does not. I'm new to pf, read the manual but that didn't become clear to me. What am I missing ? -------------------------------------------------------------------------------- The information contained in this communication may be confidential, is intended only for the use of the recipient(s) named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please notify the sender immediately and destroy or delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. ================================================================================
