Re: How pf chooses nics on bridges?
* Listas IT listas...@dna.uba.ar [2015-04-28 21:20]: Why is it that blocked packets appear sometimes on fxp0 and sometimes on vether0? it's simply the interface the packet came in on. Thank you. I get that. The question is why sometimes it logs fxp0 and sometimes is vether0 as both are the same physical nic? it logs whatever teh receiving interface is, as set by the lower layers of the stack. why that is sometimes vether and sometimes the underlaying if I can't tell w/o code digging. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: How pf chooses nics on bridges?
* Listas IT listas...@dna.uba.ar [2015-04-28 11:25]: We have a 5.6-stable box doing transparent filtering with pf. blog log all is default on ruleset. The bridge is composed of fxp0 and vether0 on int net 192.168.192/23 and xl0 (internet). While doing normal work pflog0 shows this: 06:19:08.497855 rule 17/(match) block in on vether0: 192.168.193.41.3138 77.234.44.65.80: tcp 0 (DF) 06:19:08.546275 rule 17/(match) block in on fxp0: 192.168.193.28.59751 77.234.44.76.443: tcp 0 (DF) 06:19:08.582708 rule 17/(match) block in on fxp0: 192.168.192.146.61276 23.202.94.13.80: tcp 0 (DF) 06:19:08.869587 rule 17/(match) block in on vether0: 192.168.193.12.2103 77.234.44.77.443: tcp 0 (DF) 06:19:08.872942 rule 17/(match) block in on vether0: 192.168.193.12.2104 77.234.42.76.443: tcp 0 (DF) 06:19:09.000769 rule 17/(match) block in on vether0: 192.168.193.41.3138 77.234.44.65.80: tcp 0 (DF) 06:19:09.046083 rule 17/(match) block in on fxp0: 192.168.193.28.59751 77.234.44.76.443: tcp 0 (DF) vether0 is 192.168.192.119 ie in the same net as fxp0 and def gw for the net. There are no static rules for any of those destination sites. Why is it that blocked packets appear sometimes on fxp0 and sometimes on vether0? it's simply the interface the packet came in on. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
How pf chooses nics on bridges?
Hello We have a 5.6-stable box doing transparent filtering with pf. blog log all is default on ruleset. The bridge is composed of fxp0 and vether0 on int net 192.168.192/23 and xl0 (internet). While doing normal work pflog0 shows this: 06:19:08.497855 rule 17/(match) block in on vether0: 192.168.193.41.3138 77.234.44.65.80: tcp 0 (DF) 06:19:08.546275 rule 17/(match) block in on fxp0: 192.168.193.28.59751 77.234.44.76.443: tcp 0 (DF) 06:19:08.582708 rule 17/(match) block in on fxp0: 192.168.192.146.61276 23.202.94.13.80: tcp 0 (DF) 06:19:08.869587 rule 17/(match) block in on vether0: 192.168.193.12.2103 77.234.44.77.443: tcp 0 (DF) 06:19:08.872942 rule 17/(match) block in on vether0: 192.168.193.12.2104 77.234.42.76.443: tcp 0 (DF) 06:19:09.000769 rule 17/(match) block in on vether0: 192.168.193.41.3138 77.234.44.65.80: tcp 0 (DF) 06:19:09.046083 rule 17/(match) block in on fxp0: 192.168.193.28.59751 77.234.44.76.443: tcp 0 (DF) vether0 is 192.168.192.119 ie in the same net as fxp0 and def gw for the net. There are no static rules for any of those destination sites. Why is it that blocked packets appear sometimes on fxp0 and sometimes on vether0? Thanks
Re: How pf chooses nics on bridges?
06:19:08.497855 rule 17/(match) block in on vether0: 192.168.193.41.3138 77.234.44.65.80: tcp 0 (DF) 06:19:08.546275 rule 17/(match) block in on fxp0: 192.168.193.28.59751 77.234.44.76.443: tcp 0 (DF) 06:19:08.582708 rule 17/(match) block in on fxp0: 192.168.192.146.61276 23.202.94.13.80: tcp 0 (DF) 06:19:08.869587 rule 17/(match) block in on vether0: 192.168.193.12.2103 77.234.44.77.443: tcp 0 (DF) 06:19:08.872942 rule 17/(match) block in on vether0: 192.168.193.12.2104 77.234.42.76.443: tcp 0 (DF) 06:19:09.000769 rule 17/(match) block in on vether0: 192.168.193.41.3138 77.234.44.65.80: tcp 0 (DF) 06:19:09.046083 rule 17/(match) block in on fxp0: 192.168.193.28.59751 77.234.44.76.443: tcp 0 (DF) Why is it that blocked packets appear sometimes on fxp0 and sometimes on vether0? it's simply the interface the packet came in on. Thank you. I get that. The question is why sometimes it logs fxp0 and sometimes is vether0 as both are the same physical nic?
