On Tue, 18 Nov 2003, Julian Coleman wrote:

To be honest I don't think my machine is set up to bridge, what I have is
3 interfaces -

ex0 - connection to the net
ex1 - connection to the local lan
ex2 - connection to the DMZ

What I would expect to happen is for the packet from the remote machine
(144.32.60.78) to arrive on interface ex0 and be passed out on ex2 to the
machine connected to that switch.  The machine that is running ssh is
trying to connect to a destination port on the remote machine (ip address
144.32.60.78) what is happening is that my catch all rule -

block in log from any to any

is stopping it happening.  I assumed that because I had a keep state on
the original rule

pass out quick on ex0 proto tcp from any to 217.119.6.226 port = ssh flags
S/SA keep state

that any connections back to the remote machine would be passed as this is
I assumed would be an established connection, or have I got confused on
how the keep state directive works.


Any advice greatfully received.

Mark.
> When I was looking at the bridge + ipf code, I noticed that all packets for
> my IP address passed through ipf on the interface which had the IP address
> assigned, not on the interface where the packet arrived on the wire.  I.e.,
>
>   bridged interfaces (+ipf)
>     le0  81.2.110.41
>     qe0
>     qe1
>
> A packet destined for 82.1.110.41 arriving on the wire via qe0 or qe1 would
> show up in ipf as arriving on le0.  Is this what you mean?  I'd assumed that
> it was meant to work this way.  Was it different at some point in the past?
> (I didn't change this behaviour.)
>
> J
>
> --
>                     My other computer also runs NetBSD
>                           http://www.netbsd.org/
>