[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: PF MAC Filter
As I understand 'The PF + Bridge Caution' - it is a risk of tanglefoot - as
packets are going in and out of at least two interfaces, giving four PF
filtering scenarios, it is easy to get it wrong or not get a small bit of it
just right - especially if you are keeping states. The rule of thumb is to
do your keep state on one interface, in one direction, and pass on the
others. or find a quiet place and think alot. =) oh and randomized sequence
numbers should only be done once if you can.
but if your in need of the MAC level, well... that happens at the
bridgename.if level and without all the fancy macro stuff that PF has -
static - see brconfig too
once you get it figured - think about posting to the Wiki
From: Sancho2k.net Lists [mailto:email@example.com]
Sent: Wednesday, February 26, 2003 7:19 PM
To: Laurent Cheylus
Subject: Re: PF MAC Filter
Laurent Cheylus wrote:
> Shawn Mitchell <firstname.lastname@example.org> wrote :
>>Is it possable to specify a MAC Address filter?
> Yes, with transparent firewalling (bridge mode) : see FAQ 6.10
> Do you block some nasty attacks with ARP : ARP spoofing with tools like
> Arp-sk ?
> Be carefull with bridge mode : a good configuration is difficult and may
> source of problems.
Do you (or anyone else) mind commenting on what those problems might be?
I'm running a bridging firewall here at home and am curious what to
- From: "Shawn Mitchell" <email@example.com>