[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What do you think about PF filtering for encapsulated protocols(e.g pppoe) ?

Peter N. M. Hansteen wrote:
> mzozd <[email protected]> writes:
>>we were thinking of patching PF to filter on encapsulated traffic (pppoe
>>in particular). 
> I may be missing something important (extremely low caffeine levels at
> the moment), but filtering pppoe on the TCP/IP level is already quite
> doable without patching.  You simply filter on the tun interface
> (usually tun0, but of course you may have more than one).  For bridging,
> look into the brconfig and bridgename.if manpages - the bridge plus pf
> combination is quite flexible.
Hello there.
As far it concerns PF, yes you may filter your traffic on a tun(4) or
pppoe(4) interface. However, you can't add a tun(4) or a pppoe(4)
interface to a bridge for they are point-to-point links.
PF is actually filtering on the point-to-point pseudo-interface (a
tun(4)/pppoe(4)) and NOT on the ethernet carrier where the transmitted
frames are encapsulated pppoe.