+ kp@
A very interesting question.
I think that's because, ng_ether(4) intercepts L2 traffic before it hits the firewall.
pf(4) can intercept L2 traffic, but I'm not sure that it can then filter it by L3/L4.
https://reviews.freebsd.org/D31737
https://reviews.freebsd.org/D31737
Maybe kp@ will clarify this issue?
31.10.2024, 18:32, "Palle Girgensohn" <gir...@freebsd.org>:
16 okt. 2024 kl. 18:17 skrev Patrick M. Hausen <hau...@punkt.de>:
Hi!
Am 16.10.2024 um 16:19 schrieb Palle Girgensohn <gir...@freebsd.org>:
[...]
but nothing happens, everything is passed directly into the jail:
nc -l 4444 (inside the jail)
and I can just telnet 1.2.3.4 4444
Try:
sysctl net.link.bridge.pfil_member=0
sysctl net.link.bridge.pfil_bridge=1
Although I do not know if this ablies to netgraph or to if_bridge(4) only.
But obviously your rules are not applied to the bridge interface. The default
of the tunables above is the other way round - don't filter on bridge interfaces.
HTH,
Patrick
Hallo Patrick,
Thanks for the reply. It seems that these MIBs are related to if_bridge, not ng_bridge? I didn't have them at first, men after kldload if_bridge they appeared. They make no difference, though, so perhaps they do not relate to netgraph bridges?
Any idea what tuneables would do the job?
Thanks,
Palle
