From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 7 11:07:13 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F15E106564A for ; Mon, 7 Nov 2011 11:07:13 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5DC6C8FC16 for ; Mon, 7 Nov 2011 11:07:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id pA7B7Do2078713 for ; Mon, 7 Nov 2011 11:07:13 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id pA7B7CUq078711 for freebsd-ipfw@FreeBSD.org; Mon, 7 Nov 2011 11:07:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Nov 2011 11:07:12 GMT Message-Id: <201111071107.pA7B7CUq078711@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2011 11:07:13 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 40 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 8 16:24:40 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F6B61065670 for ; Tue, 8 Nov 2011 16:24:40 +0000 (UTC) (envelope-from korodev@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id B95F58FC0C for ; Tue, 8 Nov 2011 16:24:39 +0000 (UTC) Received: by wyg36 with SMTP id 36so920566wyg.13 for ; Tue, 08 Nov 2011 08:24:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=irFU9dj/EXQd8fMLD1otit0KYlVjnyYp/H5SPlN7Ecs=; b=Yp9cU9q1+NHFvdz71GFW5Q1CSSzqWk2CuiTYcc6QIleQfBFdCRAjKztyajTWwn1qEA o8XTVO2EH6pXQl54ugCWG2pTUl2n4Ba7JbTnBuI/hC3ulIyMDltL6p4BD+4lMQEofucZ 1K+1IefUTqb5vAx14cSyntf6g8DDz7CTvWmAY= Received: by 10.180.90.19 with SMTP id bs19mr13544252wib.7.1320767701051; Tue, 08 Nov 2011 07:55:01 -0800 (PST) MIME-Version: 1.0 Received: by 10.180.87.68 with HTTP; Tue, 8 Nov 2011 07:54:40 -0800 (PST) From: Korodev Date: Tue, 8 Nov 2011 09:54:40 -0600 Message-ID: To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: Protecting bridge interface via external interface and IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 16:24:40 -0000 I'm currently running a typical bridge setup on 8.2 with if_bridge and ipfw (tunings below) and I've set up a libpcap tool to monitor packets traversing bridge interface. I've got some traffic that I don't want the tool to see, so I've firewalled it off using ipfw. However, it appears that no matter how I tune my sysctl knobs, the bridge interface will always see the packet regardless if it's blocked or not by the ipfw at the external physical interface. I have played with pfil_member, and seen no changes in this activity. Are there any modifications, whether it be patches, sysctl tunings, or virtual interface trickery to allow IPFW to act as a "shield" to my libpcap program? Here are my sysctl tunings: net.link.bridge.ipfw: 1 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.pfil_bridge: 0 Edit: It looks like I have the exact same question as this individual that was never answered on the forums: http://forums.freebsd.org/showthread.php?t=24372 \\korodev From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 8 19:02:29 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B2C7106566B for ; Tue, 8 Nov 2011 19:02:29 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout030.mac.com (asmtpout030.mac.com [17.148.16.105]) by mx1.freebsd.org (Postfix) with ESMTP id 422918FC12 for ; Tue, 8 Nov 2011 19:02:29 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp030.mac.com (Oracle Communications Messaging Server 7u4-23.01 (7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPSA id <0LUC001VWSRB7850@asmtp030.mac.com> for freebsd-ipfw@freebsd.org; Tue, 08 Nov 2011 10:02:00 -0800 (PST) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-11-08_05:2011-11-08, 2011-11-08, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000 definitions=main-1111080175 From: Chuck Swiger In-reply-to: Date: Tue, 08 Nov 2011 10:01:58 -0800 Message-id: <16D97773-945E-480E-9645-0AC705766536@mac.com> References: To: Korodev X-Mailer: Apple Mail (2.1084) Cc: freebsd-ipfw@freebsd.org Subject: Re: Protecting bridge interface via external interface and IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2011 19:02:29 -0000 On Nov 8, 2011, at 7:54 AM, Korodev wrote: [ ... ] > Are there any modifications, whether it be patches, sysctl tunings, or > virtual interface trickery to allow IPFW to act as a "shield" to my > libpcap program? It's intentional that libpcap/BPF sees traffic before firewall rules, routing, and so forth are done. However, if the traffic is only coming from one side, you might get the desired effect by having your program listen to the other side of the bridge (ie, physical interface). Failing that, you could change your monitoring tool to not pay attention to the traffic you want it to ignore. Regards, -- -Chuck