[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf with ethernet bridge and one ip



On Thursday, Sep 11, 2003, at 16:40 US/Pacific, Torsten wrote:

i have problems with pf on a openbsd 3.3-stable ethernet bridge.
my setup:

(lan_A)-----( if_A: noIP )-|bridge|-( if_B: ip_B )----(lan_B)

IP datagram from (lan_A) to ip_B
First appearance of the ip datagram within pf is: IN if_B (!)

IP comes in a ethernet frame with dst mac for if_A and can only arrive on if_A due cabling.

Why would the destination MAC be for if_A? Normal ARP should respond with if_B's MAC over the bridge.


Inside pf i can't decide if the ip datagram has arrived on if_A or if_B

it would be great if i can write pf rules depending on the interface the ip datagrams arrive as mac and ip adresses are spoofable ;)

The bridge causes an internal transit to the interface matching the destination MAC address prior to filtering and upper-layer processing. I don't know of a way around this.