This came through to me from the list with “no content”, so I’m trying again.
——
My box has three interfaces, dc0 to manage, em0 and em1 for bridging external
LAN to internal LAN.
hostname.em0: up
hostname.em1: up
hostname.bridge0: add em0 add em1 up
Bridge works,
On Sat, Feb 20, 2021 at 04:17:11PM -0600, Eric Zylstra wrote:
> -But-
> make one simple change to filter on the bridge0 interface—
>
> pf.conf:
> filtered = "{ bridge0 }”
> not_filtered = "{ lo, dc0, em0, em1 }”
> block log on $filtered
> set skip on $not_filtered
>
> `doas
) doesn't work like that on OpenBSD. You need to filter the member
ports instead.
On the whole bridge and PF interactions are a bit complicated. Keep an eye
out for veb(4) (https://marc.info/?l=openbsd-tech=161335364329307=2)
which maybe coming to a tree near you soon which will simplify things a lot.
On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote:
I'm trying to set up spamd on my firewall system.
The configuration is tricky because my upstream provider
(Verizon) only gives me 5 IPs, all on the same subnet.
The firewall system is acting as a bridge and as a router.
SNEEP
I think
:54 -0600 (MDT)
Received: by pr.neotoma.org (Postfix, from userid 1002) id 66CF52EC3B; Thu, 25
Mar 2010 13:36:53 -0400 (EDT)
Date: Thu, 25 Mar 2010 13:36:53 -0400
To: Geoff g...@oat.com
Cc: misc@openbsd.org
Subject: Re: pf vs. bridge vs. spamd
On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote
On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote:
I'm trying to set up spamd on my firewall system.
The configuration is tricky because my upstream provider
(Verizon) only gives me 5 IPs, all on the same subnet.
The firewall system is acting as a bridge and as a router.
I've been
tried to assign the routable address of the firewall machine
to an interface on the bridge and the pf rules became
a nightmare of complexity and never worked right.
There is no way I can get an additional IP from the provider
to talk to the upstream link (without paying many $$$).
The system
Hi!
Wouldn't it be better to not use the bridge and use (multicast-)routing
and pf to solve your problem?
Multicast routing with dvrmpd is tested with pf, does not work. the
same thing happens, if streamX is allowed to pass out on vlanX and
streamY is allowed to pass out on vlanY, result is
it be better to not use the bridge and use (multicast-)routing
and pf to solve your problem?
As I said, I have no experience with multicast traffic, but that is how
I would start digging.
guido
I have a problem with pf+bridge+vlan (multicast traffic) and I googled
a lot, read the manuals and so
, PF is able to control
multicast traffic in either direction (I just tried).
from my reading of if_bridge.c, on a bridge, pf filtering for
multicast frames only happens _inbound_. multicast frames sent
_out_ through a bridge are not subject to the outbound PF filter
rules.
bridge MAC filter rules
on vlanY, result is pretty similar:
vlanX outputs both streams (streamX, streamY) and the same thing with
vlanY. pf is not 100% percent multicast compat.?
As I said, I have no experience with multicast traffic, but that is how
I would start digging.
guido
I have a problem with pf+bridge+vlan
.
with a routed (not bridged) environment, PF is able to control
multicast traffic in either direction (I just tried).
from my reading of if_bridge.c, on a bridge, pf filtering for
multicast frames only happens _inbound_. multicast frames sent
_out_ through a bridge are not subject to the outbound PF
On 2009-01-20, Key Aavoja k...@neoon.com wrote:
Wouldn't it be better to not use the bridge and use (multicast-)routing
and pf to solve your problem?
Multicast routing with dvrmpd is tested with pf, does not work. the
same thing happens, if streamX is allowed to pass out on vlanX and
streamY
you're looking for?
pf is not 100% percent multicast compat.?
see the last couple of paragraphs of my earlier post about that -
fine when it's routed, some limitations as a bridge.
Thanks, I read and now I understand completely.
Btw. test with dvrmpd was without a bridge, but pf filtering
Hello,
I have a problem with pf+bridge+vlan (multicast traffic) and I googled
a lot, read the manuals and so on - no help. Finally I posted on wrong
place :( sorry.
Hopefully this time I'm writing to right place.
Following setup is made for multicast traffic separation from one lan
Hi all!,
I've been searching lists with regards to building a Visible
Bridge/Router with PF on OpenBSD.
But most of the material I see are for invisible bridge configs. I
wanted to just to a straight Routing/Bridging on my FW's
(without the use of NAT)
Any comments or experiences shared
It's the same as an invisible bridge except you have IP's on the if's,
that's the only diff.
Beavis wrote:
Hi all!,
I've been searching lists with regards to building a Visible
Bridge/Router with PF on OpenBSD.
But most of the material I see are for invisible bridge configs. I
wanted
May i ask why you are using a bridge between ISP and OpenBSD firewall?
why not just implement QoS on the firewall if its OpenBSD anyway?
Have you verified ports for your voip? it looks like you are expecting
your outbound voip connection to be connection control=5060 and
media=1-2, i
Hi,
I have a group of static ips and on one of my static ips I am running
an OpenBSD 4.2 firewall with pf using nat and altq. Behind the OpenBSD
firewall I have an asterisk server.
So in order for me to implement QoS, I have set up a non-transparent
bridge between my ISP router and the OpenBSD
All documentation I have seen about configuring pf on a bridge states
to pass in/out all on one interface and filter in/out on the other.
Why not just 'set skip on { lo, $bridge_int_1 }', then filter on
$bridge_int_0?
Luke
On 2/25/06, Luke Eckley [EMAIL PROTECTED] wrote:
All documentation I have seen about configuring pf on a bridge states
to pass in/out all on one interface and filter in/out on the other.
Why not just 'set skip on { lo, $bridge_int_1 }', then filter on
$bridge_int_0?
Why not filter inbound
23 matches
Mail list logo
