Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Sep 2000 00:08:09 -0700
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        afleming@fhsu.edu
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: IPFW, Bridging, and IPX
Message-ID:  <20000928000809.H81242@149.211.6.64.reflexcom.com>
In-Reply-To: <OFD1EAFB26.6610ACB8-ON86256967.00521208@fhsu.edu>; from afleming@fhsu.edu on Wed, Sep 27, 2000 at 10:12:49AM -0500
References:  <OFD1EAFB26.6610ACB8-ON86256967.00521208@fhsu.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 27, 2000 at 10:12:49AM -0500, afleming@fhsu.edu wrote:
> I have a FreeBSD 4.1 that I am setting up as a Filtering Bridge.  I have
> added the following to my kernel and rebuilt it.
> 
>      options BRIDGE
>      options IPFIREWALL
>      options IPFIREWALL_VERBOSE
> 
> I have the bridge working correctly.  Currently I have the firewall rules
> set to open, so any IP traffic goes through.  This is working so far, but
> it was my understanding that a FreeBSD Bridge would only Bridge IP, but
> when I put a sniffer on the inside of the bridge, I keep seeing IPX
> broadcasts, (As well as Apple Talk Broadcasts also.)

Did you put in a default accept rule? IIRC, that the rule that passes
_anything._ 

> Has the bridge code recently changed? 

Possibly, but I believe it has always forwarded all Ethernet
frames. That is, it has always forwarded IPX and AppleTalk. It is what
I, personally, would expect. It is a bridge afterall.

> Is there a way I can block
> everything but IP and ARP traffic?  I know ARP's Ethernet protocol number
> is 2054.  Can I use the special UDP rule to block IPX and Apple based on
> its protocol number?

I've never tried using that UDP port 2054 kludge to pass ARP. I would
expect if you put in a default drop, and only passed IP and ARP
(assuming that it still works and works properly, I've never seen docs
or tested it), that you would get what you want.

But as I always point out, ipfw is meant to deal with _IP_ packets and
not link layer frames. Any attempt to filter non-IP with ipfw is not
going to be pretty.

If that does not work, you can block all non-IP, but then run an ARP
proxy on the bridge machine.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000928000809.H81242>