On Mon, 26 Dec 2005 16:25:19 -0500, George Georgalis wrote:

> On Mon, Dec 26, 2005 at 07:02:23PM +0100, Pavel Cahyna wrote:
>>On Mon, Dec 26, 2005 at 12:58:27PM -0500, George Georgalis wrote:
>>> On Mon, Dec 26, 2005 at 06:43:25PM +0100, Pavel Cahyna wrote:
>>> >Do you have options BRIDGE_IPF? And do you use "brconfig bridge0 ipf"?
>>> 
>>> maybe I need to build a kernel after all? Thanks.
>>
>>Please report what you find, I'm curious if BRIDGE_IPF works with pf (it
>>should, but I think it was tested only with IPF).
> 
> Doesn't seem to work... I'm running a GENERIC plus BRIDGE_IPF and
> pf enabled kernel with a minimal /etc/pf.conf
> 
> if_dmz = fpx0
> if_net = fpx1
> block in on $if_net proto { tcp,udp } from any to any port 53
> block out on $if_net proto { tcp,udp } from any to any port 53
> 
> and the following /etc/ifconfig.bridge0
> 
> create
> !brconfig $int ipf add fxp0 add fxp1 up
> 
> when I enable the pf rules, dns passes right through...
> 
> have I missed something or is there any diagnostics I can provide?

brconfig bridge0 ipf

for diagnostic - pf does logging...