From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 28 02:21:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3E5B16A4CE for ; Fri, 28 Nov 2003 02:21:21 -0800 (PST) Received: from cisovanet.pl (toudi.cisovanet.pl [212.160.158.193]) by mx1.FreeBSD.org (Postfix) with SMTP id 4D83A43FAF for ; Fri, 28 Nov 2003 02:21:20 -0800 (PST) (envelope-from robert@toudi.cisovanet.pl) Received: (qmail 35678 invoked from network); 28 Nov 2003 10:21:21 -0000 Received: from unknown (HELO toudi.cisovanet.pl) (212.160.158.193) by 0 with SMTP; 28 Nov 2003 10:21:21 -0000 Received: (from robert@localhost) by toudi.cisovanet.pl (8.12.6/8.12.6/Submit) id hASALL9k035676 for freebsd-ipfw@freebsd.org; Fri, 28 Nov 2003 11:21:21 +0100 (CET) Date: Fri, 28 Nov 2003 11:21:20 +0100 From: Robert Krasicki To: freebsd-ipfw@freebsd.org Message-ID: <20031128102120.GB34837@toudi.cisovanet.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: bridge problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 10:21:22 -0000 Hello, I have a problem with bridge & outgoing traffic. Exactly, I can't get ipfw controlling my outgoing traffic from box acting as a router. eg. My external net: 219.122.12.144/28 FreeBSD box router IP: 219.122.12.146 (see ifconfig below) Rules: --- ipfw add 100 allow ip from not 219.122.12.144/28 to me in (the above one works fine). I am able to control incoming traffic. ipfw add 101 allow ip from me to any out (ipfw is ignoring this rule.. no traffic is controlled by this one) ipfw add 102 allow ip from 219.122.12.144/28 to not 219.122.12.144/28 out (failed, ipfw is ignoring this rule too.. By this rule I meant to controll traffic from bridged LAN users to Internet) I found out that I can achieve the same by: ipfw add 102 allow ip from 219.122.12.144/28 to not 219.122.12.144/28 in via bge0 (It works, so now I controll incoming traffic from users via bge0). other rules go here ... The rules are in order as I wrote above. rule # 100 is the first rule ..(excluding lo ones) That's ok, but what If I want to control the outgoing traffic from (eg. Web Service) on 219.122.12.146 ? T My settings are as follows: OS: --- FreeBSD box.foo.com 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #1: Sysctls: --- net.inet.ip.fw.one_pass: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 net.link.ether.ipfw: 1 net.link.ether.bridge_cfg: bge0:1,ed0:1 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipf: 0 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 Kernel options: --- options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=200 options IPDIVERT options DUMMYNET options HZ=1000 options IPFIREWALL_DEFAULT_TO_ACCEPT ed0: flags=8943 mtu 1500 inet6 ff80::2d1:23ff:feef:3ad1%ed0 prefixlen 64 scopeid 0x1 inet 219.122.12.146 netmask 0xfffffff0 broadcast 219.122.12.159 inet 219.122.12.149 netmask 0xffffffff broadcast 219.122.12.149 ether 00:c0:26:ef:3a:d4 bge0: flags=8943 mtu 1500 options=1b inet6 fe80::20c:6eff:fe0f:7a6b%bge0 prefixlen 64 scopeid 0x2 ether 00:0c:6e:0f:7a:6b media: Ethernet autoselect (100baseTX ) status: active Thank you for help! Best Regards, Jarek