[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pppoe, bridge and pf

Making, drinking tea and reading an opus magnum from Dries Schellekens:
> On Thu, 21 Nov 2002 Kruse@email.si wrote:
> > Hi,
> >
> > I'm trying to setup invisible firewall (OBSD 3.2) as it is described here:
> >
> > http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html
> >
> > The bridge is working, but pf rules block in(out) all are passing all
> > traffic in and out. I'm using raspppoe client on my internal box (for
> > ADSL modem). Am I missing something or it's just a limitation (mine;).
> > Any help will be appreciated.
> PPPoE = PPP (point to point protocol) over ethernet. This puts PPP packets
> into ethernet frame (layer 2).
> PF is a packet filter and works at layer 3 (IP) and 4 (TCP, UDP, ...). It
> doesn't operate at layer 2.
> I think you get the picture. That's why PF is unable to filter AppleTalk,
> IPX, ... either.
you are not entirely right, although you've heard about layers.
the problem here is that to block non-ip protocols "blocknonip"
should be used on the bridge.
otherwise bridge does not parse any other but ip and ipv6 protocols
for the matter of filtering (where pppoe is neither of both).
    paranoic mickey       (my employers have changed but, the name has remained)