Since I didn't get any reply, I decided to do more digging
on my own. Although, I didn't even get my pre-dawn misc
digest either, so maybe something is wrong with the mailing
list(s).
Some more google-ing using different combination of phrases
I go to two threads on obsd-misc and -sparc from a Jim Fron
<j-fron {at} q {at} public {at} comcast {dot} net> (email
address no longer valid according to comcast).
The issue he was asking help for (and received more responses
than I did) seems pretty similar to that of mine. In his own
words:
"Issue: bridging causes pf to mis-apply frames to
the wrong interface."
This is back in February '05:
http://article.gmane.org/gmane.os.openbsd.sparc/1751
http://thread.gmane.org/gmane.os.openbsd.sparc/1745/focus=1745
It was a relief to find out I'm not the only one with this
issue.
He mentions having use a patch that helped his issue. I
assume he means this patch (but not certain):
http://monkey.org/openbsd/archive/misc/0411/msg01560.html
I attempted to email him, but comcast claims to have broken
off with with Jim. Poor Jim ='(
I don't mind digging in source code at all. I would, however,
appreciate some pointers as to where to start looking.
Also, my idea of using route-to didn't work quite as expected.
It worked for a while, but when I checked in the morning, I
found that none of the packets would get to the right interface.
I put log statements on all pass rules for packets entering
$dsl_if and destined for $dmz_if.
Then I monitored pflog0 using tcpdump -ne -ttt -i pflog0. I
would see a DNS lookup come in on $dsl_if and be sent out on
$dmz_if. Great right? BUT, although, tcpdump on $dsl_if would
show the packet enter, it would show NO activity on $dmz_if!!
I believe there is something seriously wrong with the way the
combination of pf, bridging and routing interact with one
another.
Anyone interested in helping here? I'm obviously volunteering
to be the guinea pig here.
Again system is a freshly installed -rOPENBSD_3_9.
My latest attempt for a solution is to set up static entries
for my servers on $dmz_if using brconfig. Though I think this
is very hokey as far as solutions go. I'm monitoring to see
if I see any instances of the issue or any other side-effects
thereof.
--patrick
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
