Date: Tue, 28 Nov 2000 23:08:16 +1100 (EST) From: Camson Huynh <Camson.Huynh@eBioinformatics.com> To: Luigi Rizzo <rizzo@aciri.org> Cc: hackers@FreeBSD.ORG Subject: Re: bridge + ipfw Message-ID: <Pine.SOL.4.10.10011282256240.17236-100000@shad.au.int.en-bio.com> In-Reply-To: <200011281133.eASBXDi47151@iguana.aciri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi,
On Tue, 28 Nov 2000, Luigi Rizzo wrote:
> > with ipfw and bridging? I have fully tested the intel cards and they are
> > functioning ok. I'm currently running FreeBSD 4.2-STABLE. This behaviour
> > happens on FreeBSD 4.2-RELEASE and FreeBSD 4.1X also which prompted me to
> > upgrade to 4.2 stable.
>
> first: i am not totally sure the 'via' specifier makes sense
> for a bridge.
> second: are you sure you have set the sysctl variable
> net.link.ether.bridge_cfg
Yes I've checked this. It holds fxp0 and fxp1.
> so that it holds the names of the two new cards and not the old
> ones ? Other than that I can think of two things:
> 1) you are blocking ARP (the kernel ipfw hack to pass ARP was deleted in 4.x
> and so i think you need to run a 'default_to-accept' firewall
> so the default rule will match and pass non-ip packets. you can still
> block unwanted ip traffic with arule like 65500 deny ip from any to any
The above doesn't explain why everything work under ne2000 cards but not intel
etherexpress pro 100. Same set of rules allow arp entries through ne2000 cards
but not intel. Also from /etc/rc.firewall that came with FreeBSD 4.2:
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0
which I've done. Unless the rc.firewall file is out of date. My set of rules
block out everything except allowing ICMP and SSH. It doesn't explain why I'm
able to telnet in if ARP is blocked.
Anyway, I'll try compiling with default_to-accept option and see how things go.
Thanks,
Camson
>
> 2) the fxp card uses dma to read/write into the mbuf, and so there might
> be some timing issues which are not present with the 'ed' driver.
> i fixed them on 3.x, but have no idea on what is the status on 4.x
> (though i strongly doubt this is the problem)
>
> cheers
> luigi
>
> >
> > My configuration consists of 2 intel pro cards. The external fxp0 has an IP
> > assigned to it where as the internal fxp1 does not. The ipfw rules only allow
> > ssh incoming + icmp packets and deny everything else. Outgoing traffics are
> > not restricted. The behaviour I'm seeing is that I can ping ok. I cannot ssh
> > in but am still able to telnet in !!!
> >
> > My kernel config includes:
> > options IPFIREWALL
> > options IPFIREWALL_VERBOSE
> > options IPFIREWALL_VERBOSE_LIMIT=100
> > options BRIDGE
> >
> > My firewall rules:
> >
> > ${fwcmd} -f flush
> > ${fwcmd} add 100 check-state
> >
> > ${fwcmd} add 200 pass all from any to any via lo0
> > ${fwcmd} add 300 deny all from any to 127.0.0.0/8
> > # If you're using 'options BRIDGE', uncomment the following line to pass ARP
> > ${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0
> >
> > # Throw away RFC 1918 networks
> > ${fwcmd} add deny ip from 10.0.0.0/8 to any in via ${oif}
> > ${fwcmd} add deny ip from 172.16.0.0/12 to any in via ${oif}
> > ${fwcmd} add deny ip from 192.168.0.0/16 to any in via ${oif}
> >
> > # Allow the bridge machine to say anything it wants (keep state if UDP)
> > ${fwcmd} add pass udp from ${bridge_ip} to any keep-state
> > ${fwcmd} add pass ip from ${bridge_ip} to any
> >
> > # Allow the inside net to say anything it wants (keep state if UDP)
> > ${fwcmd} add pass udp from any to any in via ${iif} keep-state
> > ${fwcmd} add pass ip from any to any in via ${iif}
> >
> > # Allow all manner of ICMP
> > ${fwcmd} add pass icmp from any to any
> >
> > # established TCP sessions are ok everywhere.
> > ${fwcmd} add pass tcp from any to any established
> >
> > # Pass SSH
> > ${fwcmd} add pass tcp from any to any 22 in via ${oif}
> >
> > # Everything else is denied
> > ${fwcmd} add deny ip from any to any
> >
> > ------------
> >
> > camson
> >
> > Camson Huynh eBioinformatics - Bay 16 Suite 104
> > Senior Systems Administrator Australian Technology Park
> > Email: Camson.Huynh@eBioinformatics.com NSW 1430 Australia
> > Ph: +61 2 9209 4749 Fax: +61 2 9209 4747 URL: http://eBioinformatics.com/
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-hackers" in the body of the message
> >
>
Camson Huynh eBioinformatics - Bay 16 Suite 104
Senior Systems Administrator Australian Technology Park
Email: Camson.Huynh@eBioinformatics.com NSW 1430 Australia
Ph: +61 2 9209 4749 Fax: +61 2 9209 4747 URL: http://eBioinformatics.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.10.10011282256240.17236-100000>