On Thu, 2005-04-07 at 12:58 +1200, Russell Fulton wrote: > I am seeing packets being dropped by pf that should not traverse the > bridge at all (i.e. packets between hosts that are on the same side of > the bridge). After a little thought I came to the conclusion that this > is quite plausible since the filtering is taking place on the interface > closest to the affected hosts and the packets are hitting pf before they > get to the bridging logic.
Thanks to those who clarified the way bridge and pf interact and to Camiel Dobbelaar who suggested some useful diagnostics in private email. I now know what is going on. A while ago we were having some issues with our two pf/bridges interacting with our cisco switches, the network folk got these partly resolved by turning learning off on the bridges, so now they are simply flooding everything back and forth -- which is exactly what I had observed. Sigh... Thanks again and apologies for bothering the list with something that should have been sorted out locally. Yet another illustration of the rule that one should post config files when asking questions. If I had done that I would have noticed that learning had been turned off and solved the problem then and there. Russell -- Russell Fulton, Information Security Officer, The University of Auckland New Zealand
smime.p7s
Description: S/MIME cryptographic signature
