OpenBSD Journal

Bridge Mode Packet Filtering

Contributed by Dengue on from the pf dept.

Karlski writes : "I've set up a transparent firewall in bridge mode using OpenBSD 3.0's new Packet Filter (PF) written by Daniel Hartmeier and the Bridge code written by Jason Wright. It works great and i'd love to help establish a repository of example rulesets to aid in deploying this kind of tool.

Is anyone else working on this? High load testing? Enterprise/ Production rulesets? I figure now's the best time. -Daniel posted this info on his site regarding bridge mode packet filtering: http://marc.theaimsgroup.com/?l=openbsd-tech&m=100220976320265&w=2

Would be great to get a good set of example files drawn from our collective knowledge so far.

-karlski"

Sounds like a candidate for the FAQ to me...

(Comments are closed)


Comments
  1. By s k () on

    Neat-o. Think I will try this this weekend.

  2. By Anonymous Coward () on

    I'm not sure to understand well.
    Why not using keep state with "out" rules ?

    Keeping daniel's example :

    block in on rl0 all
    pass out on rl0 all keep state
    block in on rl1 all
    pass out on rl1 all keep state
    [rules to allow traffic INto interfaces]

    I don't see what is wrong with this ?

  3. By g () on

    i have a transparent bridge set up with ipf on openbsd 2.9 and i would be very interested in how to optimise the rulesets and whether pf has better performance than ipf.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]