Date: Fri, 6 Jul 2007 08:39:13 -0700 (PDT) From: Dave McCammon <davemac11@yahoo.com> To: stable@freebsd.org Subject: ipfw with if_bridge oddity Message-ID: <868934.77972.qm@web32811.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
I got nothing from questions@ so I'm posting here.
I can't seem to grasp why this is working differently.
FreeBSD 6.2 using ipfw + if_bridge
LAN -- em1(if_bridge + ipfw)em0 -- internet
I am at xx.xx.16.6 and try to ping say www.yahoo.com
in ruleset:
1100 allow icmp from any to xx.xx.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
2100 allow ip from xx.xx.16.0/27 to any in via em1
gets dropped by following rule as shown in logs:
4700 deny log ip from any to any
Log entry: ipfw: 4700 Deny ICMP:8.0 xx.xx.16.6 69.147.114.210 out via em0
If I add this rule all works great:
2101 allow icmp from xx.xx.16.0/27 to any recv em1
Why would the "recv em1" work and the "in via em1" get blocked?
I just changed from using bridge(4) to if_bridge using the same ruleset.
The rest of my ruleset seems to be working fine but this problem is causing me a little paranoia
about the effectiveness of the firewall.
Also, should I still be seeing "deny (snip) in via bridge0" messages in by logs
if I have this set "net.link.bridge.pfil_bridge: 0"?
Thanks for your help.
dave
____________________________________________________________________________________
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
http://farechase.yahoo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868934.77972.qm>