Hello Koen,
On 09.02.2008, at 21:27, Koen Martens wrote:
http://coombs.anu.edu.au/~avalon/ipfilfaq.html#freebsd1 suggests it
is possible to use ipfilter to filter bridged traffic.
However, this does not seem to be the case (unless 'recent' means
more recent than 6.2-RELEASE-p10.
It sounds like you're using the old-style "BRIDGE" and not
if_bridge... If that's indeed the case, the reason why your bridged
traffic isn't passed through ipfilter is that ipfw is also loaded
(sounds dumb I know, but that's the way it's coded ;). Have a look at /
sys/net/bridge.c and search for "XXX: Prevent ipfw from being run
twice", and you'll know why this happens.
You can find a fix in the m0n0wall repository:
http://svn.m0n0.ch/wall/branches/freebsd6/build/patches/kernel/kernel-6.patch
(only the sys/net/bridge.c patch needs to be applied)
Or you could switch to if_bridge, which seems to be preferred now...
but according to its manpage, it has the same issue of running ipfw
twice (once directly, and once via pfil).
HTH,
Manuel
