From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 9 10:20:15 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DAD5E1065677 for ; Mon, 9 Jun 2008 10:20:15 +0000 (UTC) (envelope-from fazaeli@sepehrs.com) Received: from sepehrs.com (sepehrs.com [213.217.59.98]) by mx1.freebsd.org (Postfix) with ESMTP id EF3F78FC0A for ; Mon, 9 Jun 2008 10:20:14 +0000 (UTC) (envelope-from fazaeli@sepehrs.com) Received: from [192.168.1.180] ([192.168.1.180]) by sepehrs.com (8.13.6/8.13.6) with ESMTP id m59Dp8T0042910; Mon, 9 Jun 2008 13:51:09 GMT (envelope-from fazaeli@sepehrs.com) Message-ID: <484D0256.6000108@sepehrs.com> Date: Mon, 09 Jun 2008 14:43:42 +0430 From: "H.fazaeli" User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: David Martens References: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> <4847B603.6080105@sepehrs.com> <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> In-Reply-To: <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Sepehr-MailScanner-Information: Please contact the ISP for more information X-Sepehr-MailScanner: Found to be clean X-Sepehr-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.921, required 5, autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, DATE_IN_PAST_03_06 0.48) X-MailScanner-From: fazaeli@sepehrs.com X-Spam-Status: No Cc: freebsd-ipfw@freebsd.org Subject: Re: fwd problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2008 10:20:15 -0000 . on gateway, place fwd rule before divert. . run tcpdump & 'ipfw -a list' on __proxy__ and see if packets really reach the proxy/squid or not. . A network diagram would be helpful in the case the problem still persist. David Martens wrote: > I've taken H.Fazaeli's suggestion and moved the proxy to the same > class C as the gateway with no change. > > So now my rule set on the gateway is: > > 00100 allow ip from any to any via lo0 > 00110 deny ip from any to 127.0.0.0/8 via en0 > 00800 divert 8668 ip from any to any via en0 > 00850 deny ip from any to any in frag > 00890 allow ip from any to 192.168.0.2 > 00990 fwd 192.168.0.2 tcp from 192.168.1.60 to any 80 > > > And on the proxy: > > 00080 allow tcp from any to any out > 00100 fwd 127.0.0.1,8082 tcp from 192.168.1.60 to any dst-port 80 > > > For testing purposes I've set the forward to only a single ip > address. Eventually this will be set to the entire /22 subnet. > > A tcpdump on the LAN interface on the gateway indicates traffic from > 192.168.1.60 & and fwd rule increments, but the packets don't make it > to the proxy. They are not dropped, the requested web pages load fine > in the browser, just no proxy. > > > > > On Jun 5, 2008, at 2:46 AM, H.fazaeli wrote: > >> >> This is what is happening: >> >> 1. Client's packet match with fwd rule on gateway. >> 2. gateway tries to fwd packet to 192.168.3.2. For this, it should >> replace >> destination mac address with that of proxy (192.168.3.22). >> 3. gateway fails to obtain proxy mac address, since it is not on the >> same >> subnet as proxy (can not use arp). >> 4. fwd rule drops the packet. >> >> FIX: assign a 192.168.3.XXX address to the gateway's interface >> which proxy is supposed to be reachable from. >> >> >> >> David Martens wrote: >>> I'm trying to set up a transparent proxy using two machines, the >>> gateway and the proxy. The proxy is 192.168.3.22 and is listening >>> on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 >>> so everything is on the same subnet. >>> >>> I set the following rules on the gateway: >>> >>> 00100 allow ip from any to any via lo0 >>> 00110 deny ip from any to 127.0.0.0/8 via en0 >>> 00800 divert 8668 ip from any to any via en0 >>> 00850 deny ip from any to any in frag >>> 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 >>> >>> When I get a packet count (ipfw -a list) rule 990 increments when I >>> try to access a web page. >>> >>> On the proxy box I have the following rules: >>> >>> 00100 allow tcp from 192.168.3.22 to any >>> 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 >>> >>> rule 110 never receives any forwarded packets. Any ideas what I've >>> done wrong here? The http requests do go out, but are not forwarded >>> through the proxy. >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> >> -- >> >> >> Best regards. >> >> Hooman Fazaeli >> Sepehr S. T. Co. Ltd. >> >> Web: http://www.sepehrs.com >> Tel: (9821)88975701-2 >> Fax: (9821)88983352 >> >> >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Best regards. Hooman Fazaeli Sepehr S. T. Co. Ltd. Web: http://www.sepehrs.com Tel: (9821)88975701-2 Fax: (9821)88983352 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 9 11:07:01 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E936106568B for ; Mon, 9 Jun 2008 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0B3038FC19 for ; Mon, 9 Jun 2008 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m59B70iS070775 for ; Mon, 9 Jun 2008 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m59B70oD070771 for freebsd-ipfw@FreeBSD.org; Mon, 9 Jun 2008 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Jun 2008 11:07:00 GMT Message-Id: <200806091107.m59B70oD070771@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2008 11:07:01 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 16 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] [request] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip 30 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 10 15:23:55 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 664461065679 for ; Tue, 10 Jun 2008 15:23:55 +0000 (UTC) (envelope-from roslisukri@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by mx1.freebsd.org (Postfix) with ESMTP id 29EBF8FC23 for ; Tue, 10 Jun 2008 15:23:54 +0000 (UTC) (envelope-from roslisukri@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so1327713ywe.13 for ; Tue, 10 Jun 2008 08:23:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=NNMT51D6bkKS4eX3TjMD6AuujfhTe8Osk6RLjdpKC8w=; b=xjGZrNDYBF3ME7vCM0i5KRVwPu2V88E6VHxnV5Be+/UkAYA5eG8cUVlJmsMqdKrLO5 4sZfOFPJugHmIwnXtTnI2nspeNhgZ/lYHQFrMOB+vek7MriDBiXpib7xneA43/9nAa2P OAA1+O/NUqdfam+vwdrRnj2aZGil7s1H7oaEA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=YuwhkM4ciMXEvdXBosWVU55E+hUBItf7QlBfdHhipC4zjkT0BtJ1KH4rnytr3ot4fJ rdvffytq8pouMIACTth70fI3YhaTPOx5QIdCMNrtMWDov47hwFlHGISegypVLFHjHq1/ qObjG+UAIb82r5Sl/dNMqdsBlrzVadYnFGxqg= Received: by 10.142.114.15 with SMTP id m15mr2110433wfc.25.1213109981187; Tue, 10 Jun 2008 07:59:41 -0700 (PDT) Received: by 10.143.158.10 with HTTP; Tue, 10 Jun 2008 07:59:41 -0700 (PDT) Message-ID: Date: Tue, 10 Jun 2008 22:59:41 +0800 From: "Rosli Sukri" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw route to multigateways X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 15:23:55 -0000 hi scenario: users---->[lan]freebsdipfw[wan]----->{gw1,gw2} where gw1 goes to isp1, and gw2 goes to isp2. requirements: ftp, http, https traffic goes to gw1 telnet, ssh, mail and pop goes to gw2 can freebsdipfw do this? From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 10 17:53:17 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 627821065683 for ; Tue, 10 Jun 2008 17:53:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outS.internet-mail-service.net (outs.internet-mail-service.net [216.240.47.242]) by mx1.freebsd.org (Postfix) with ESMTP id 508358FC0A for ; Tue, 10 Jun 2008 17:53:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 32BDA24BD; Tue, 10 Jun 2008 10:53:17 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id EAF1A2D6057; Tue, 10 Jun 2008 10:53:16 -0700 (PDT) Message-ID: <484EBF8E.3030006@elischer.org> Date: Tue, 10 Jun 2008 10:53:18 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Rosli Sukri References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw route to multigateways X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 17:53:17 -0000 Rosli Sukri wrote: > hi > > scenario: > users---->[lan]freebsdipfw[wan]----->{gw1,gw2} > where gw1 goes to isp1, and gw2 goes to isp2. easily done but how do you ensure the return packets come back the same way? > > > requirements: > ftp, http, https traffic goes to gw1 > telnet, ssh, mail and pop goes to gw2 in -current there are several ways to do this including: * multiple routing tables use a firewall rule to assign incoming packets to different routing tables for forwarding (setfib) (-current only) * Forward rule ipfw add 100 fwd tablearg ip from IP1 to table 1 in xx0 ipfw add 101 fwd tablearg ip from IP2 to table 2 in xx0 and add routing entries into each table * or just use a single address if you don't need a table: ipfw add 100 fwd ISP1 ip from IP1 to any in xx0 ipfw add 101 fwd ISP2 ip from IP2 to any in xx0 * natd.. I'm not an expert in this but it can do some of this * a combination of the above Natd can be used to NAT your outgoing packets so that the return packets come back the same way.. either only NAT the packets to one ISP or Nat them both with different NAT instances. use a fwd rule or setfib rule to decide which ISP to use and limit the NAT to processing packets in or out of that interface. > > can freebsd ipfw do this? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 13 18:02:22 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4AC421065678 for ; Fri, 13 Jun 2008 18:02:22 +0000 (UTC) (envelope-from opt1k2@mail.ru) Received: from mx45.mail.ru (mx45.mail.ru [194.67.23.236]) by mx1.freebsd.org (Postfix) with ESMTP id D730E8FC17 for ; Fri, 13 Jun 2008 18:02:21 +0000 (UTC) (envelope-from opt1k2@mail.ru) Received: from f137.mail.ru (f137.mail.ru [194.67.57.118]) by mx45.mail.ru (mPOP.Fallback_MX) with ESMTP id AC907E005326 for ; Fri, 13 Jun 2008 21:50:54 +0400 (MSD) Received: from mail by f137.mail.ru with local id 1K7DQJ-000Bq2-00 for freebsd-ipfw@freebsd.org; Fri, 13 Jun 2008 21:50:51 +0400 Received: from [82.138.35.63] by win.mail.ru with HTTP; Fri, 13 Jun 2008 21:50:51 +0400 From: Alexey Beketov To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [82.138.35.63] Date: Fri, 13 Jun 2008 21:50:51 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: X-Spam: Not detected Subject: ipfw arp protocol filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Alexey Beketov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2008 18:02:22 -0000 I have two networks,10.10.0.0/16 both, and if_bridge between them. There is two different 10.10.0.1 machines in each network. I need to filter arp on bridge to make no conflicts between 10.10.0.1 machines. How to make it, I using freebsd 7.0 and ipfw? From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 13 19:39:04 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B865E106566B for ; Fri, 13 Jun 2008 19:39:04 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 891978FC0C for ; Fri, 13 Jun 2008 19:39:04 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id D78AB5D21; Fri, 13 Jun 2008 15:22:49 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SFxcvbuWimNG; Fri, 13 Jun 2008 15:22:47 -0400 (EDT) Received: from [10.152.145.162] (72-165-115-225.dia.static.qwest.net [72.165.115.225]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTPSA id 9A56D5CEC; Fri, 13 Jun 2008 15:22:46 -0400 (EDT) Message-Id: <733D64F7-47AA-4BCF-9677-08A20D39150A@mac.com> From: Chuck Swiger To: Alexey Beketov In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v924) Date: Fri, 13 Jun 2008 12:22:45 -0700 References: X-Mailer: Apple Mail (2.924) Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw arp protocol filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2008 19:39:04 -0000 On Jun 13, 2008, at 10:50 AM, Alexey Beketov wrote: > I have two networks,10.10.0.0/16 both, and if_bridge between them. > There is two different 10.10.0.1 machines in each network. I need to > filter arp on bridge to make no conflicts between 10.10.0.1 > machines. How to make it, I using freebsd 7.0 and ipfw? Seriously, dude-- don't even try to do this; you will be drawn into networking hell. If you still wish to risk it, consider: sysctl -w net.link.ether.bridge_ipfw=1 sysctl -w net.link.ether.ipfw=1 ipfw add deny mac any 0:1:2:3:4:5 ...add the deny rule twice & change MAC to match those of your two 10.10.0.1 machines. This won't filter ARP traffic, but instead just the ethernet addresses of these two machines from passing through the bridge. If you really want to block ARP, you're better off switching to using a router and NAT forwarding rather than a bridge, but I understand there's a hack like follows: ipfw add deny udp from 0.0.0.0 2054 to 0.0.0.0 -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 14 02:27:58 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BEA7106566C for ; Sat, 14 Jun 2008 02:27:58 +0000 (UTC) (envelope-from berlowin@yahoo.com) Received: from web52505.mail.re2.yahoo.com (web52505.mail.re2.yahoo.com [206.190.48.188]) by mx1.freebsd.org (Postfix) with SMTP id 10CEE8FC1B for ; Sat, 14 Jun 2008 02:27:57 +0000 (UTC) (envelope-from berlowin@yahoo.com) Received: (qmail 62750 invoked by uid 60001); 14 Jun 2008 02:27:56 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=iwZyzkHz1AmJwzxzyArgKexN1JmUQrsXs6MkxxHFsSu8+Xqleho6suUgjH29M64GE7iI4AjLs051PMBwmv1oU7vkHKCkwgON3TPP384U4480FDiQ1A70/KUUYqRDm1WrE3ePQZjlN/RVSvPLYO7ZPhz+JRu5xo95L/bmBwyPCGk=; Received: from [118.136.72.130] by web52505.mail.re2.yahoo.com via HTTP; Fri, 13 Jun 2008 19:27:54 PDT X-Mailer: YahooMailRC/975.45 YahooMailWebService/0.7.199 Date: Fri, 13 Jun 2008 19:27:54 -0700 (PDT) From: Edwin Sanjoto To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <285153.62730.qm@web52505.mail.re2.yahoo.com> Subject: About IPFW for IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jun 2008 02:27:58 -0000 Hi Guyz... Do you know how to set firewall for IPv6 using IPFW? or may be if you are using another firewall like PF, do you know how to set it? Thanks Guyz, I will wait for your replied soon... Regards, EDWIN Sanyoto (berlowin@yahoo.com)