From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 15 04:07:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57E6D16A4CE for ; Thu, 15 Jan 2004 04:07:30 -0800 (PST) Received: from smart.eusc.inter.net (smart.eusc.inter.net [213.73.101.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBF9D43D64 for ; Thu, 15 Jan 2004 04:07:28 -0800 (PST) (envelope-from msch@snafu.de) Received: from mail.snafu.de ([10.12.0.4] helo=service.snafu.de) by smart.eusc.inter.net with smtp (Exim 3.36 #4) id 1Ah6HX-0003iy-00 for freebsd-ipfw@freebsd.org; Thu, 15 Jan 2004 13:07:27 +0100 To: freebsd-ipfw@freebsd.org From: Matthias Schuendehuette X-Sender: msch@snafu.de Date: Thu, 15 Jan 2004 12:07:27 GMT X-Mailer: Endymion MailMan Standard Edition v3.0.35 Message-Id: Subject: ipfw2 and bridging on 5.2-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2004 12:07:30 -0000 Hello, I have serious problems with ipfw2 and bridging on my FreeBSD 5.2-RELEASE machine. Fist of all: Is this the right list? Or should I go to 'net' or 'questions'? Anyway, here's the situation: My bridging machine has three interfaces, 'bge0' with an IP-Adress for ssh-access and 'fxp0'(outbound) and 'fxp1'(inbound) for bridging. All the network traffic is in a VLAN with VLAN-ID 112, just to mention, with 'vlan0' and 'vlan1' as the corresponding vlan-interfaces for 'fxp0' resp. 'fxp1'. My bridge configuration is: net.link.ether.bridge.config: fxp0:0,fxp1:0,vlan0:1,vlan1:1 and works with an 'open' firewall without problems. My ruleset for testing purposes is fairly straightforward: # setup 'lo0' 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 check-state 00500 skipto 3000 ip from any to any layer2 # setup for ssh-access via 'bge0' 00600 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state 00700 allow ip from me to any xmit bge0 keep-state # rules for the bridge 03000 allow ip from any to any layer2 mac-type 0x0806 # ARP 03100 allow tcp from any to any recv fxp1 setup keep-state 03200 allow udp from any to any recv fxp1 keep-state 03300 allow icmp from any to any recv fxp1 03400 allow ip from any to any recv fxp1 03500 deny log ip from any to any 65535 deny ip from any to any As usual, my first test is pinging from inside to an outside machine. Done that, I see, that the ping-requests come through the filtering bridge and the ping replies were blocked - so far, so good. But the ICMP-Packets use rule #3400 and not #3300, why? If I change rule #3300 to "allow icmp from any to any" it still doesn't work, only "allow ip from any to any" leeds to a working ping (of course). BTW, the same is true for TCP and/or UDP traffic - obviously the IP protocol type is not recognized. Is this a bug or a feature - or a limitation because of the bridging? Or is my understanding wrong in any way? I hope, someone can explain this behaviour a bit to me... TIA - Matthias -- Matthias Schuendehuette, Berlin, Germany