Date: Fri, 6 Jul 2007 08:39:13 -0700 (PDT) From: Dave McCammon <davemac11@yahoo.com> To: stable@freebsd.org Subject: ipfw with if_bridge oddity Message-ID: <868934.77972.qm@web32811.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
I got nothing from questions@ so I'm posting here. I can't seem to grasp why this is working differently. FreeBSD 6.2 using ipfw + if_bridge LAN -- em1(if_bridge + ipfw)em0 -- internet I am at xx.xx.16.6 and try to ping say www.yahoo.com in ruleset: 1100 allow icmp from any to xx.xx.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14 2100 allow ip from xx.xx.16.0/27 to any in via em1 gets dropped by following rule as shown in logs: 4700 deny log ip from any to any Log entry: ipfw: 4700 Deny ICMP:8.0 xx.xx.16.6 69.147.114.210 out via em0 If I add this rule all works great: 2101 allow icmp from xx.xx.16.0/27 to any recv em1 Why would the "recv em1" work and the "in via em1" get blocked? I just changed from using bridge(4) to if_bridge using the same ruleset. The rest of my ruleset seems to be working fine but this problem is causing me a little paranoia about the effectiveness of the firewall. Also, should I still be seeing "deny (snip) in via bridge0" messages in by logs if I have this set "net.link.bridge.pfil_bridge: 0"? Thanks for your help. dave ____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868934.77972.qm>