-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Manuel,
On Sat, Feb 09, 2008 at 10:02:23PM +0100, Manuel Kasper wrote: > On 09.02.2008, at 21:27, Koen Martens wrote: >> http://coombs.anu.edu.au/~avalon/ipfilfaq.html#freebsd1 suggests it is >> possible to use ipfilter to filter bridged traffic. >> >> However, this does not seem to be the case (unless 'recent' means more >> recent than 6.2-RELEASE-p10. > > It sounds like you're using the old-style "BRIDGE" and not if_bridge... If > that's indeed the case, the reason why your bridged traffic isn't passed > through ipfilter is that ipfw is also loaded (sounds dumb I know, but > that's the way it's coded ;). Have a look at /sys/net/bridge.c and search > for "XXX: Prevent ipfw from being run twice", and you'll know why this > happens. Thanks, i'll be sure to check that out. > You can find a fix in the m0n0wall repository: > > http://svn.m0n0.ch/wall/branches/freebsd6/build/patches/kernel/kernel-6.patch > (only the sys/net/bridge.c patch needs to be applied) > > Or you could switch to if_bridge, which seems to be preferred now... but > according to its manpage, it has the same issue of running ipfw twice (once > directly, and once via pfil). Yes, i think we should switch to if_bridge sooner or later. This is a system (or rather, systems) i've recently acquired to maintain, so i will have to move slowly here. Thanks again! I still do think the FAQ needs updating though, if necessary i'd be happy to write the updated text. Gr, Koen - -- K.F.J. Martens, Sonologic, http://www.sonologic.nl/ Networking, hosting, embedded systems, unix, artificial intelligence. Public PGP key: http://www.metro.cx/pubkey-gmc.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHsJQQktDgRrkFPpYRAmNaAKCEdc9GIcdrtRc0bIaKuXo2aSCmJwCgocWx WKD+bfJ2o2Fi5Tr2Qofqx+w= =9nRa -----END PGP SIGNATURE-----
