From owner-freebsd-stable@FreeBSD.ORG Fri Jul 6 16:05:55 2007 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 17F3716A46B for ; Fri, 6 Jul 2007 16:05:55 +0000 (UTC) (envelope-from davemac11@yahoo.com) Received: from web32811.mail.mud.yahoo.com (web32811.mail.mud.yahoo.com [68.142.206.41]) by mx1.freebsd.org (Postfix) with SMTP id B9BAC13C46E for ; Fri, 6 Jul 2007 16:05:54 +0000 (UTC) (envelope-from davemac11@yahoo.com) Received: (qmail 93810 invoked by uid 60001); 6 Jul 2007 15:39:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=bVU06mP1JL+hEvDU/x311Z7oUfkfWUHga56rUMnlzDVJmx97BSc9g+5cd6sEfdI+0wHdhVv63tg+IvOUbDYFAaTMESy7qX+BiZjTL9g/1KNWnwNbUPW/k0XZWhfwIIT5NZ3Jni7d57LwuDTNokckei034CAHfuiWbKMNnt5z3e4=; X-YMail-OSG: 1QsGtNsVM1lqClfFnf2a7XYga7bpOwK8xfbKQJliusvjzVnKK0WW_QqtoijlPpF3h5o.am_u0pGvczfc9V1bAVJzIRaCyjrtpkIcVhkaPFH784QmSTw- Received: from [157.91.16.21] by web32811.mail.mud.yahoo.com via HTTP; Fri, 06 Jul 2007 08:39:13 PDT X-Mailer: YahooMailRC/651.41 YahooMailWebService/0.7.41.16 Date: Fri, 6 Jul 2007 08:39:13 -0700 (PDT) From: Dave McCammon To: stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ascii Message-ID: <868934.77972.qm@web32811.mail.mud.yahoo.com> Cc: Subject: ipfw with if_bridge oddity X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 16:05:55 -0000 I got nothing from questions@ so I'm posting here. I can't seem to grasp why this is working differently. FreeBSD 6.2 using ipfw + if_bridge LAN -- em1(if_bridge + ipfw)em0 -- internet I am at xx.xx.16.6 and try to ping say www.yahoo.com in ruleset: 1100 allow icmp from any to xx.xx.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14 2100 allow ip from xx.xx.16.0/27 to any in via em1 gets dropped by following rule as shown in logs: 4700 deny log ip from any to any Log entry: ipfw: 4700 Deny ICMP:8.0 xx.xx.16.6 69.147.114.210 out via em0 If I add this rule all works great: 2101 allow icmp from xx.xx.16.0/27 to any recv em1 Why would the "recv em1" work and the "in via em1" get blocked? I just changed from using bridge(4) to if_bridge using the same ruleset. The rest of my ruleset seems to be working fine but this problem is causing me a little paranoia about the effectiveness of the firewall. Also, should I still be seeing "deny (snip) in via bridge0" messages in by logs if I have this set "net.link.bridge.pfil_bridge: 0"? Thanks for your help. dave ____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/