2011/5/10 Daniel Hartmeier <[email protected]>: > On Tue, May 10, 2011 at 06:45:08PM +0200, Nicolas GRENECHE wrote: > >> Regarding tcpdump, packets seems to go through the interface. Why does >> pf doesn't see them ? > > The destination MAC addresses of the ethernet frames do not match the > firewall's. > > By putting the interfaces into promiscuous mode, the frames are copied > to BPF readers (like tcpdump), but the host then ignores the frame. > Since the host is neither the recipient nor bridging, there is no reason > to pf filter the packet, as the frame will be dropped anyway. > > I guess you could add the interfaces to bridges or some such construct, > to get pf filtering involved. It depends on WHY you want pf to filter > something you don't want to forward, i.e. what would be the purpose of > the packet showing up on pflog. > > Daniel >
Thanks a lot Daniel you put me on the right way ! The reason was that I set up the bridge with "monitoring" option which only let bpf readers aquire network and drop packet. Now It works perfectly. Regards, _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
