[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

problem with bridge and pf -snapshot last night



Hi Daniel, list,
	I Don't want to sound stupid here but I have a problem with a
bridge and -current.  I realize current is for testing but I wanted help
test q0s that is in pf now - at work to help contribute what I can (we are
a ISP).
OpenBSD 3.2-current (GENERIC) #20: Sun Dec  1 22:46:07 MST 2002
	I have 3 interfaces one xl0 and 2 rl(0&1)  I have configured rl0 
and rl1 in a bridge
[email protected]:[~] 12:03:25 -> cat /etc/testbridge.bridge0 
add rl0
add rl1
up
and traffic is crossing the bridge as I can see with tcpdump output.
bridge0: flags=41<UP,RUNNING> mtu 1500
venom# tcpdump -netttvvi rl1
tcpdump: WARNING: rl1: no IPv4 address assigned
tcpdump: listening on rl1
Dec 02 12:07:44.025608 0:10:4b:30:36:36 0:50:bf:39:3d:d6 0800 114: 192.168.1.192.17896 > 192.168.1.191.22: P 2599562820:2599562868(48) ack 3674499332 win 17376 <nop,nop,timestamp 401233087 157964272> (DF) [tos 0x10] (ttl 64, id 63415)
Dec 02 12:07:44.025699 0:10:4b:30:36:36 0:50:bf:39:3d:d6 0800 114: 192.168.1.192.17896 > 192.168.1.191.22: P 48:96(48) ack 1 win 17376 <nop,nop,timestamp 401233087 157964272> (DF) [tos 0x10] (ttl 64, id 54563)
Dec 02 12:07:44.025773 0:10:4b:30:36:36 0:50:bf:39:3d:d6 0800 114: 192.168.1.192.17896 > 192.168.1.191.22: P 96:144(48) ack 1 win 17376 <nop,nop,timestamp 401233087 157964272> (DF) [tos 0x10] (ttl 64, id 38259)
venom# tcpdump -netttvvi rl0
tcpdump: WARNING: rl0: no IPv4 address assigned
tcpdump: listening on rl0
Dec 02 12:08:17.104741 0:c0:f0:4c:6a:3e 0:10:4b:30:36:36 0806 60: arp reply 192.168.1.1 is-at 0:c0:f0:4c:6a:3e
Dec 02 12:08:17.104852 0:10:4b:30:36:36 0:c0:f0:4c:6a:3e 0800 98: 192.168.1.192 > 209.143.0.10: icmp: echo request (id:31825 seq:0) (ttl 255, id 38307)
Dec 02 12:08:17.230751 0:c0:f0:4c:6a:3e 0:10:4b:30:36:36 0800 98: 209.143.0.10 > 192.168.1.192: icmp: echo reply (id:31825 seq:0) (ttl 235, id 35793)
What I can't get to work is pf on the bridge interfaces
venom# pfctl -vsr
@0 pass in log-all on rl0 all 
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]
@1 pass out log-all on rl0 all 
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]
@2 pass in log-all on rl1 all 
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]
@3 pass out log-all on rl1 all 
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]
I have a really simple rule set just to log packets that cross it for now
venom# pfctl -s rules
@0 pass in log-all on rl0 all 
@1 pass out log-all on rl0 all 
@2 pass in log-all on rl1 all 
@3 pass out log-all on rl1 all 
but as you can see from the pfctl -vsr nothing is being evaluated.
I have enabled this:
pf=YES                  # Packet filter / NAT
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of packets
I did this
venom# pfctl -e
pf enabled
altq enabled
and then I started to gather information from the log to /var/log/pflog.  
My question is did i miss something to turn this on so that the system
would enable pf by default.  I thought that was the point of pf=YES #
Packet filter / NAT in the rc.conf
please correct me where I am wrong in my configuration.  
Thanks
Jason Houx.