Date: Sat, 04 Dec 2004 09:41:14 -0500 From: Chuck Swiger <cswiger@mac.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-net@freebsd.org Subject: Re: ipfw and bridging [was: pf and bridging] Message-ID: <41B1CC8A.6090509@mac.com> In-Reply-To: <Pine.BSF.3.96.1041204183127.2388B-100000@gaia.nimnet.asn.au> References: <Pine.BSF.3.96.1041204183127.2388B-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Smith wrote: [ ... ] > Read those ones for interest, but it leaves me wondering: can you use > stateful filtering in ipfw, then? (here ipfw1 on a 4.8-RELEASE box with > BRIDGE in kernel so far, but I imagine this would apply also to ipfw2?) Yes, you ought to be able to perform stateful packet filtering with either ipfw1 or 2. > I'm aware that one can only filter incoming packets, so I've always > wondered whether stateful rules made any sense in a bridge context? A firewall filters packets which pass through it (ie, either via routing, bridging, or whatever the topology is). Yes, you can do stateful filtering on a bridge but you need to pay attention to the fact that you have both layer-2 and layer-3 traffic involved. You also need to enable a sysctl to have IPFW apply its rules to bridged traffic. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41B1CC8A.6090509>