From owner-freebsd-ipfw Sun Oct 13 14: 5:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEC8137B401 for ; Sun, 13 Oct 2002 14:05:49 -0700 (PDT) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DC6B43E8A for ; Sun, 13 Oct 2002 14:05:49 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021013210549.USFA11063.rwcrmhc52.attbi.com@blossom.cjclark.org> for ; Sun, 13 Oct 2002 21:05:49 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g9DL5mWn090257 for ; Sun, 13 Oct 2002 14:05:48 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g9DL5mNm090256 for ipfw@freebsd.org; Sun, 13 Oct 2002 14:05:48 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sun, 13 Oct 2002 14:05:47 -0700 From: "Crist J. Clark" To: ipfw@freebsd.org Subject: BRIDGE requires IPFW in CURRENT Message-ID: <20021013210547.GA90169@blossom.cjclark.org> Reply-To: "Crist J. Clark" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In order to build a kernel with BRIDGE (or to load bridge.ko) you need to also specify IPFW{,2} (or load ipfw.ko first). This is due to the use of fw_one_pass in bridge.c:bdg_forward(). Bug or feature? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Oct 13 14:16:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43AFA37B401; Sun, 13 Oct 2002 14:16:35 -0700 (PDT) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id D588943E8A; Sun, 13 Oct 2002 14:16:34 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9DLGYpJ002768; Sun, 13 Oct 2002 14:16:34 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9DLGYID002767; Sun, 13 Oct 2002 14:16:34 -0700 (PDT) (envelope-from rizzo) Date: Sun, 13 Oct 2002 14:16:34 -0700 From: Luigi Rizzo To: "Crist J. Clark" Cc: ipfw@FreeBSD.ORG Subject: Re: BRIDGE requires IPFW in CURRENT Message-ID: <20021013141634.A2735@carp.icir.org> References: <20021013210547.GA90169@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20021013210547.GA90169@blossom.cjclark.org>; from crist.clark@attbi.com on Sun, Oct 13, 2002 at 02:05:47PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 13, 2002 at 02:05:47PM -0700, Crist J. Clark wrote: > In order to build a kernel with BRIDGE (or to load bridge.ko) you need > to also specify IPFW{,2} (or load ipfw.ko first). This is due to the > use of fw_one_pass in bridge.c:bdg_forward(). Bug or feature? bug, one of the usual ones when you try to implement modules which use each other's features... fw_one_pass should be declared in the same place as other ipfw variables so it is always present irrespective of kernel config options. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Oct 13 17:17:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B639537B401 for ; Sun, 13 Oct 2002 17:17:17 -0700 (PDT) Received: from mta3.srv.hcvlny.cv.net (mta3.srv.hcvlny.cv.net [167.206.5.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CB4443EA3 for ; Sun, 13 Oct 2002 17:17:17 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta3.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H3Y007N13G5PG@mta3.srv.hcvlny.cv.net> for freebsd-ipfw@freebsd.org; Sun, 13 Oct 2002 20:16:58 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9E0HBEd012833 for ; Sun, 13 Oct 2002 20:17:11 -0400 (EDT envelope-from agapon@excite.com) Date: Sun, 13 Oct 2002 20:17:11 -0400 (EDT) From: Andriy Gapon Subject: ip broadcast bridging X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org Message-id: <20021013194727.Q12422-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It looks like broadcast packets are not always bridged correctly. I have a host that used to be a gateway between 3 LANs, then I changed it to do briding between two of them (one interface kept its ip address, the other got none) and to be a gateway to the third one and until recently I haven't bothered to change firewall rules on that bridge/gateway. I got a bit puzzled when I noticed that firewall has matches for the rules applicable only to the bridged interface without an ip address. Of course I wouldn't be surpised if I hadn't net.link.ether.bridge_ipfw: 0 My understanding that in this situation bridging should happen before ipfw check and thus ipfw should not see any ip packets on the interface without ip address. After enabling logging for the rules in question it looks like only broadcast packets of the bridged subnet originating from LAN connected to ip-address-less interface get matched. Using tcpdump I see that there is nothing wrong with the packets i.e. they have correct ip and ether source addresses and correct destination: broadcast ip address of the subnet and ff:ff:ff:ff:ff:ff ethernet address. I have 4.7-RELEASE and ipfw2 on the bridge/gateway. Sorry if this is not the most appropiate place to discuss this topic. -- Andriy Gapon * "I do not know myself, and God forbid that I should." Johann Wolfgang von Goethe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Oct 13 18: 4:39 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A951137B401 for ; Sun, 13 Oct 2002 18:04:37 -0700 (PDT) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53C1343EB7 for ; Sun, 13 Oct 2002 18:04:37 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9E14PpJ004038; Sun, 13 Oct 2002 18:04:25 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9E14PTX004037; Sun, 13 Oct 2002 18:04:25 -0700 (PDT) (envelope-from rizzo) Date: Sun, 13 Oct 2002 18:04:25 -0700 From: Luigi Rizzo To: Andriy Gapon Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ip broadcast bridging Message-ID: <20021013180425.C3866@carp.icir.org> References: <20021013194727.Q12422-100000@edge.foundation.invalid> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20021013194727.Q12422-100000@edge.foundation.invalid>; from agapon@excite.com on Sun, Oct 13, 2002 at 08:17:11PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 13, 2002 at 08:17:11PM -0400, Andriy Gapon wrote: > > It looks like broadcast packets are not always bridged correctly. I have a ... > matches for the rules applicable only to the bridged interface without an > ip address. Of course I wouldn't be surpised if I hadn't > net.link.ether.bridge_ipfw: 0 What you see is perfectly normal. Bridged interfaces in a cluster are considered as a single "interface", so irrespective from where you get the traffic, it will be passed up the stack if it has proper addresses, which is what normally happens for multicast and broadcast IP packets. The fact that the interface has no IP associated does not matter, it is up and running for all practical purposes, and it will recognise the same traffic as the one on the other interface(s) in the cluster which have an IP address assigned. This is true both for ipfw1 and ipfw2 cheers luigi > My understanding that in this situation bridging should happen before ipfw > check and thus ipfw should not see any ip packets on the interface without > ip address. > After enabling logging for the rules in question it looks like only > broadcast packets of the bridged subnet originating from LAN connected to > ip-address-less interface get matched. > Using tcpdump I see that there is nothing wrong with the packets i.e. they > have correct ip and ether source addresses and correct destination: > broadcast ip address of the subnet and ff:ff:ff:ff:ff:ff ethernet > address. > > I have 4.7-RELEASE and ipfw2 on the bridge/gateway. > Sorry if this is not the most appropiate place to discuss this topic. > > -- > Andriy Gapon > * > "I do not know myself, and God forbid that I should." > Johann Wolfgang von Goethe > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Oct 13 20:13:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A91E37B401 for ; Sun, 13 Oct 2002 20:13:27 -0700 (PDT) Received: from mta9.srv.hcvlny.cv.net (mta9.srv.hcvlny.cv.net [167.206.5.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1F1543ED1 for ; Sun, 13 Oct 2002 20:13:26 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta9.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H3Y0094GAV3J4@mta9.srv.hcvlny.cv.net> for freebsd-ipfw@FreeBSD.ORG; Sun, 13 Oct 2002 22:57:03 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9E2vNEd015004; Sun, 13 Oct 2002 22:57:23 -0400 (EDT envelope-from agapon@excite.com) Date: Sun, 13 Oct 2002 22:57:23 -0400 (EDT) From: Andriy Gapon Subject: Re: ip broadcast bridging In-reply-to: <20021013180425.C3866@carp.icir.org> X-X-Sender: avg@edge.foundation.invalid To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Message-id: <20021013225420.Y15000-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 13 Oct 2002, Luigi Rizzo wrote: > What you see is perfectly normal. > > Bridged interfaces in a cluster are considered as a single "interface", > so irrespective from where you get the traffic, it will be passed > up the stack if it has proper addresses, which is what normally happens for > multicast and broadcast IP packets. > The fact that the interface has no IP associated does not matter, it > is up and running for all practical purposes, and it will recognise > the same traffic as the one on the other interface(s) in the cluster > which have an IP address assigned. > > This is true both for ipfw1 and ipfw2 Luigi, thank you, I think I'm starting to understand how the bridging works. -- Andriy Gapon * "I do not know myself, and God forbid that I should." Johann Wolfgang von Goethe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 17 12:14:59 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52A2B37B401 for ; Thu, 17 Oct 2002 12:14:58 -0700 (PDT) Received: from mta4.srv.hcvlny.cv.net (mta4.srv.hcvlny.cv.net [167.206.5.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C594E43E42 for ; Thu, 17 Oct 2002 12:14:57 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta4.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4500LYB3ILR8@mta4.srv.hcvlny.cv.net> for freebsd-ipfw@freebsd.org; Thu, 17 Oct 2002 15:01:33 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9HJ1W3S001159 for ; Thu, 17 Oct 2002 15:01:32 -0400 (EDT envelope-from agapon@excite.com) Date: Thu, 17 Oct 2002 15:01:32 -0400 (EDT) From: Andriy Gapon Subject: IPFIREWALL_DEFAULT_TO_ACCEPT and bridge X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org Message-id: <20021017145455.O1073-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In the situation of host with 3 interfaces and bridging done between two of them, when would I need IPFIREWALL_DEFAULT_TO_ACCEPT kernel option ? Is it only if I want filter bridged traffic ? Will this option allow all non-ip traffic with IPFW2 or do I need add the rule for non-ip traffic before 'deny everything' rule ? -- Andriy Gapon * "I do not know myself, and God forbid that I should." Johann Wolfgang von Goethe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 17 21:26: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0DEA37B404 for ; Thu, 17 Oct 2002 21:25:59 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 405A143E4A for ; Thu, 17 Oct 2002 21:25:59 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021018042557.RRRE26524.sccrmhc01.attbi.com@blossom.cjclark.org>; Fri, 18 Oct 2002 04:25:57 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g9I4PuWn042696; Thu, 17 Oct 2002 21:25:57 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g9I4Ptnq042695; Thu, 17 Oct 2002 21:25:55 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 17 Oct 2002 21:25:55 -0700 From: "Crist J. Clark" To: Andriy Gapon Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT and bridge Message-ID: <20021018042555.GA42581@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20021017145455.O1073-100000@edge.foundation.invalid> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021017145455.O1073-100000@edge.foundation.invalid> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 17, 2002 at 03:01:32PM -0400, Andriy Gapon wrote: > > In the situation of host with 3 interfaces and bridging done between two > of them, when would I need IPFIREWALL_DEFAULT_TO_ACCEPT kernel option ? Never. > Is it only if I want filter bridged traffic ? You don't need it then either/ > Will this option allow all non-ip traffic with IPFW2 or do I need add the > rule for non-ip traffic before 'deny everything' rule ? If you are just talking about ARP, it should "just work" without the option. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 17 21:35:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4140537B401; Thu, 17 Oct 2002 21:35:11 -0700 (PDT) Received: from mta11.srv.hcvlny.cv.net (mta11.srv.hcvlny.cv.net [167.206.5.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id C474B43ECD; Thu, 17 Oct 2002 21:35:10 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta11.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4500JGPTYEXT@mta11.srv.hcvlny.cv.net>; Fri, 18 Oct 2002 00:32:39 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9I4Wc3S008788; Fri, 18 Oct 2002 00:32:38 -0400 (EDT envelope-from agapon@excite.com) Date: Fri, 18 Oct 2002 00:32:38 -0400 (EDT) From: Andriy Gapon Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT and bridge In-reply-to: <20021018042555.GA42581@blossom.cjclark.org> X-X-Sender: avg@edge.foundation.invalid To: "Crist J. Clark" Cc: freebsd-ipfw@FreeBSD.ORG Message-id: <20021018002825.W8660-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG thanks a lot! that's what I suspected, guess Handbook chapter 19.3.3.3 Firewall Support needs a little update: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bridging.html -- Andriy Gapon * "I do not know myself, and God forbid that I should." Johann Wolfgang von Goethe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message