Hey guys,
I've currently got an inline bridge setup where traffic flows like so:
I'm using ipfw to only allow certain traffic through, but tcpdump shows incoming traffic that I explicitly deny in ipfw making it to the bridge0 interface and then being blocked. I was under the impression, the traffic would be blocked at em0.
I've got a custom program that uses libpcap listening on the bridge0 interface and I would rather not have to deal with the blocked traffic. Are there any sysctl knobs I can tweak such that traffic doesn't hit bridge0 before being evaluated against the firewall ruleset?
Here are my relevant sysctl settings:
Thanks in advance!
I've currently got an inline bridge setup where traffic flows like so:
Code:
em0 --> bridge0 --> em1
I'm using ipfw to only allow certain traffic through, but tcpdump shows incoming traffic that I explicitly deny in ipfw making it to the bridge0 interface and then being blocked. I was under the impression, the traffic would be blocked at em0.
I've got a custom program that uses libpcap listening on the bridge0 interface and I would rather not have to deal with the blocked traffic. Are there any sysctl knobs I can tweak such that traffic doesn't hit bridge0 before being evaluated against the firewall ruleset?
Here are my relevant sysctl settings:
Code:
net.link.bridge.ipfw: 1 (I'm using Dummynet as well)
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 0
Thanks in advance!