Date: Tue, 10 May 2005 14:36:52 -0700 From: Jon Simola <jsimola@gmail.com> To: freebsd-ipfw@freebsd.org, Joshua Paech <josh@slicmedia.com> Subject: Re: IPFW2 statefulness over bridge? Message-ID: <8eea04080505101436289b58e7@mail.gmail.com> In-Reply-To: <42805673.2070401@quo.com.au> References: <42805673.2070401@quo.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/9/05, Simon Litchfield <simon@quo.com.au> wrote: > Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing > connections over our bridge (running 5.3 generic). A similar > configuration worked fine using pf on openbsd. >=20 > Are we missing something? Here's the guts of our rule script -- ipfw bridges only get one chance at the packet, because the bdg_forward path does not have anything similar to ether_output. You can't firewall packets on their way out of your bridge, only on the way in. So via doesn't make sense, and "in recv" might make some sense depending on what you're trying to do. See the diagram in ipfw(8) for details. > # allow arps (oh yeah, this is important) > ipfw add allow layer2 mac-type arp You might want to rewrite your ruleset to split off the layer2 and layer3 rules, otherwise (depending on your config) each packet will pass through the entire ruleset twice. Once at layer2, and again at layer3. Passes at layer2 won't match any rules that don't specify "layer2" on the rule, and MAC matching doesn't make sense at layer3. --=20 Jon Simola Systems Administrator ABC Communications
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8eea04080505101436289b58e7>