From: Aaron Nichols (adnicholsgmail.com)
Date: Mon Nov 15 2004 - 10:42:30 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In your case, it sounds like you don't want ip.forwarding.

If you only have one network interface in your machine and no other
machines are routing traffic through (not to) your machine you do not
need ip forwarding (assuming you aren't doing anything special that
requires it, in which case you would probably know you needed it). If
you are using NAT or bridging it's generally assumed that traffic from
other hosts are passing through your machine and thus, you need
ip.forwarding = 1. Forwarding simply refers to passing ip traffic
between network interfaces (if this is an over-simplification, someone
please correct me) and thus, bridging requires this ability.

In either case, pf will work regardless of your ip.forwarding
configuration which I think defaults to disabled (ip.forwarding = 0).

Aaron

On Mon, 15 Nov 2004 17:22:40 +0100 (MET), TAMONE Francois - System
Engineer <francois.tamoneeig6.unige.ch> wrote:
> Hi,
>
> It is not clear after several readings supposed to be central to pf
> whether ip.forwarding must be set to 1 or not with PF. Now I am confused.
>
> Also in the (excellent!) book from Jacek Artymiak "Builing Firewall with
> OpenBSD and PF":
>
> if pf does bridging or NAT set ip.forwarding to 1
>
> But I do not do bridging and my pf.conf does not do NAT... So does it mean
> I have to set ip.forwarding to 0 ? Is pf routing alone ?
>
> I remember the day of "checkpoint" where ip.forwarding wrongly set to 1
> would bypass firewall rules.
>
> Is forwarding like routing ? if so why use it in bridging ? who ? what ?
> where?...
>
> Thanks

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]