Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Jan 2004 12:07:27 GMT
From:      Matthias Schuendehuette <>
Subject:   ipfw2 and bridging on 5.2-RELEASE
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
I have serious problems with ipfw2 and bridging on my FreeBSD 5.2-RELEASE 
machine. Fist of all: Is this the right list? Or should I go to 'net' or 
Anyway, here's the situation: 
My bridging machine has three interfaces, 'bge0' with an IP-Adress for 
ssh-access and 'fxp0'(outbound) and 'fxp1'(inbound) for bridging. All the 
network traffic is in a VLAN with VLAN-ID 112, just to mention, with 'vlan0' 
and 'vlan1' as the corresponding vlan-interfaces for 'fxp0' resp. 'fxp1'. 
My bridge configuration is: fxp0:0,fxp1:0,vlan0:1,vlan1:1 
and works with an 'open' firewall without problems. 
My ruleset for testing purposes is fairly straightforward: 
# setup 'lo0' 
00100 allow ip from any to any via lo0 
00200 deny ip from any to 
00300 deny ip from to any 
00400 check-state 
00500 skipto 3000 ip from any to any layer2 
# setup for ssh-access via 'bge0' 
00600 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state 
00700 allow ip from me to any xmit bge0 keep-state 
# rules for the bridge 
03000 allow ip from any to any layer2 mac-type 0x0806  # ARP 
03100 allow tcp from any to any recv fxp1 setup keep-state 
03200 allow udp from any to any recv fxp1 keep-state 
03300 allow icmp from any to any recv fxp1 
03400 allow ip from any to any recv fxp1 
03500 deny log ip from any to any 
65535 deny ip from any to any 
As usual, my first test is pinging from inside to an outside machine. 
Done that, I see, that the ping-requests come through the filtering bridge and 
the ping replies were blocked - so far, so good. 
But the ICMP-Packets use rule #3400 and not #3300, why? 
If I change rule #3300 to "allow icmp from any to any" it still doesn't work, 
only "allow ip from any to any" leeds to a working ping (of course). 
BTW, the same is true for TCP and/or UDP traffic - obviously the IP protocol 
type is not recognized. 
Is this a bug or a feature - or a limitation because of the bridging? 
Or is my understanding wrong in any way? 
I hope, someone can explain this behaviour a bit to me... 
TIA - Matthias 
Matthias Schuendehuette, Berlin, Germany

Want to link to this message? Use this URL: <>