On Mon, Dec 26, 2005 at 07:02:23PM +0100, Pavel Cahyna wrote:
>On Mon, Dec 26, 2005 at 12:58:27PM -0500, George Georgalis wrote:
>> On Mon, Dec 26, 2005 at 06:43:25PM +0100, Pavel Cahyna wrote:
>> >On Mon, Dec 26, 2005 at 12:29:28PM -0500, George Georgalis wrote:
>> >> Now I'm working out my first BSD bridge, and I seem to have a
>> >> misunderstanding of pf, in this test all traffic but dns should
>> >> pass through,
>> >> 
>> >> if_dmz = fpx0
>> >> if_net = fpx1
>> >> pass in  quick on $if_dmz all
>> >> pass out quick on $if_dmz all
>> >> block on $if_net proto { tcp,udp } from any to any port 53
>> >> 
>> >> but the block rule doesn't seem to stop anything... :-\
>> >> What's wrong here?
>> >
>> >Do you have options BRIDGE_IPF? And do you use "brconfig bridge0 ipf"?
>> 
>> maybe I need to build a kernel after all? Thanks.
>
>Please report what you find, I'm curious if BRIDGE_IPF works with pf (it
>should, but I think it was tested only with IPF).

Doesn't seem to work... I'm running a GENERIC plus BRIDGE_IPF and
pf enabled kernel with a minimal /etc/pf.conf

if_dmz = fpx0
if_net = fpx1
block in on $if_net proto { tcp,udp } from any to any port 53
block out on $if_net proto { tcp,udp } from any to any port 53

and the following /etc/ifconfig.bridge0

create
!brconfig $int ipf add fxp0 add fxp1 up

when I enable the pf rules, dns passes right through...

have I missed something or is there any diagnostics I can provide?

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george@galis.org