Date: Thu, 12 Apr 2007 09:01:22 +0800 From: Eugene Grosbein <eugen@grosbein.pp.ru> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: net@freebsd.org Subject: Re: ipfw tags & filtering incoming broadcasts Message-ID: <20070412010122.GA41509@svzserv.kemerovo.su> In-Reply-To: <74021176312447@webmail28.yandex.ru> References: <74021176312447@webmail28.yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 11, 2007 at 09:27:27PM +0400, Andrey V. Elsukov wrote: > > I have a router based on FreeBSD 6 running quagga/RIPv2 > > and want to filter all incoming packets sent to it (not forwarded throught it) > > with a small set of exceptions. This router uses ipfw for packet filtering. > > You can use "in recv" keywords to determine incoming packets. I know, thanks. Now I'm just trying to make it work somehow but without a success still. > > There is no problem to filter unicasts. But I want also block all > > broadcasts except of incoming RIPv2, some of hardware > > routers send broadcasts instead of multicasts here. > > I've tried this way: > > ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any > > If you want use tags in the next rules, you should use `count' action > instead of `allow'. I've just tried, replaced "allow" with "count" in the rule 30 but nothing changed. And I think there should be no difference for this set of 3 rules, because a packet needs to be _allowed_ during layer2 pass to reach layer3 pass where tags are used. So it should not matter whether the rule 30 pass such packets or rule 40. > > ipfw add 40 allow ip from any to any layer2 > > ipfw add 50 count log ip from any to any tagged 1 > > I hoped that rule 30 would tag all broadcasts with tag 1 during layer2 > > filtering pass and it'd keep its tag during layer3 filtering but it seems > > it doesn't. If I send a broadcast with ping <IP-broadcast> > > I see that rules 30 and 40 match this outgoing broadcast > > but rule 50 does not. Am I doing something wrong or > > is this behavour by design or is this a bug that deserve a PR? > > If you want filter a RIPv2 packets, may be it's a good idea > to use src-port or dst-port 520 with udp protocol? I want also to learn how to distinguish unicast UDP from broadcast UDP. Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070412010122.GA41509>