From owner-freebsd-net@FreeBSD.ORG  Sun Dec  5 13:50:08 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9479316A4CE
	for <freebsd-net@freebsd.org>; Sun,  5 Dec 2004 13:50:08 +0000 (GMT)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 048D343D2D
	for <freebsd-net@freebsd.org>; Sun,  5 Dec 2004 13:50:04 +0000 (GMT)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.4) with SMTP id AAA16102;
	Mon, 6 Dec 2004 00:49:56 +1100 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Mon, 6 Dec 2004 00:49:55 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Chuck Swiger <cswiger@mac.com>
In-Reply-To: <41B1CC8A.6090509@mac.com>
Message-ID: <Pine.BSF.3.96.1041206004306.13909C-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-net@freebsd.org
Subject: Re: ipfw and bridging [was: pf and bridging]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Dec 2004 13:50:08 -0000

On Sat, 4 Dec 2004, Chuck Swiger wrote:

 > Ian Smith wrote:
 > [ ... ]
 > > Read those ones for interest, but it leaves me wondering: can you use
 > > stateful filtering in ipfw, then?  (here ipfw1 on a 4.8-RELEASE box with
 > > BRIDGE in kernel so far, but I imagine this would apply also to ipfw2?) 
 > 
 > Yes, you ought to be able to perform stateful packet filtering with either 
 > ipfw1 or 2.

Thanks for that, Chuck.  It did seem to be working, so I'd assumed that
ipfw stateful inspection must only be on inbound packets, for bridged
packets at least. 

 > > I'm aware that one can only filter incoming packets, so I've always
 > > wondered whether stateful rules made any sense in a bridge context?
 > 
 > A firewall filters packets which pass through it (ie, either via routing, 
 > bridging, or whatever the topology is).  Yes, you can do stateful filtering on 
 > a bridge but you need to pay attention to the fact that you have both layer-2 
 > and layer-3 traffic involved.  You also need to enable a sysctl to have IPFW 
 > apply its rules to bridged traffic.

Indeed.  Now I'm curious; must find some time to look at the code a bit. 

Cheers, Ian