>Number:         22818
>Category:       kern
>Synopsis:       IPFilter doesn't filter traffic!
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 16 15:34:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christoph Egger
>Release:        NetBSD 1.6.1_STABLE Sep 11
>Organization:
M&L Computing GmbH
>Environment:
NetBSD 1.6.1_STABLE i386
>Description:

I wanna set up a transparent firewall in a network.
Transparent in the sense, that the host is invisible in the network
and therefore has no IP addresses.

IP forwarding is enabled via 'sysctl -w net.inet.ip.forwarding=1'.

My test configuration of ipfilter is this:

pass in on ne2 to ne3 all
pass in on ne3 to ne2 all

IPfilter doesn't see the packets and thus doesn't forward them
to the other network interface.


Then I tried bridge(4).

This is my /etc/ifconfig.bridge0:

create
!brconfig $int add ne2 add ne3 up

Now, all the traffic get forwarding like on a hub - this is too much
considering this is also the case when I change my /etc/ipf.conf to this one:

block in ne2 to ne3 all
block in ne3 to ne2 all

>How-To-Repeat:

Set up a NetBSD 1.6.1_STABLE machine (both kernel and userland are from Sep. 11th) with at least two network cards and do what I described
above.

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: