From owner-freebsd-net@FreeBSD.ORG  Thu Sep 14 04:20:15 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 07C6916A40F
	for <freebsd-net@freebsd.org>; Thu, 14 Sep 2006 04:20:14 +0000 (UTC)
	(envelope-from thompsa@freebsd.org)
Received: from grunt6.ihug.co.nz (grunt6.ihug.co.nz [203.109.254.46])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8AD3643D45
	for <freebsd-net@freebsd.org>; Thu, 14 Sep 2006 04:20:14 +0000 (GMT)
	(envelope-from thompsa@freebsd.org)
Received: from 203-109-251-39.static.bliink.ihug.co.nz (heff.fud.org.nz)
	[203.109.251.39] 
	by grunt6.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
	id 1GNihv-0004xA-00; Thu, 14 Sep 2006 16:20:11 +1200
Received: by heff.fud.org.nz (Postfix, from userid 1001)
	id CFFCB1CC23; Thu, 14 Sep 2006 16:20:10 +1200 (NZST)
Date: Thu, 14 Sep 2006 16:20:10 +1200
From: Andrew Thompson <thompsa@freebsd.org>
To: Jon Otterholm <jon.otterholm@ide.resurscentrum.se>
Message-ID: <20060914042010.GA35371@heff.fud.org.nz>
References: <45084BBD.7090903@ide.resurscentrum.se>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <45084BBD.7090903@ide.resurscentrum.se>
User-Agent: Mutt/1.5.11
Cc: freebsd-net@freebsd.org
Subject: Re: Bridge
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2006 04:20:15 -0000

On Wed, Sep 13, 2006 at 08:19:41PM +0200, Jon Otterholm wrote:
> Hi.
> 
> According to man if_bridge one could filter L2-traffic with ipfw:
> 
> From man if_bridge:
>     ARP and REVARP packets are forwarded without being filtered and others
>     that are not IP nor IPv6 packets are not forwarded when pfil_onlyip is
>     enabled.  IPFW can filter Ethernet types using mac-type so all packets
>     are passed to the filter for processing.
> 
> ARP is still forwarded though I have the following config:
> 
> I have the following sysctl set:
> 
> net.link.bridge.ipfw: 1
> net.link.bridge.pfil_member: 1
> net.link.bridge.pfil_bridge: 1
> net.link.bridge.pfil_onlyip: 1
> 
> ipfw list:
> 
> 65533 deny ip from any to any MAC any any
> 65534 deny ip from any to any layer2
> 65535 deny ip from any to any

The check for ARP happens before the ipfw layer2 code so it isnt
currently possible to filter them. 

     switch (ether_type) {
	     case ETHERTYPE_ARP:
	     case ETHERTYPE_REVARP:
		     return (0); /* Automatically pass */


You are the second person in so many days to ask this, is it something
that should be changed? 


Andrew