Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 7 Jul 2007 18:25:51 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Dave McCammon <davemac11@yahoo.com>
Cc:        stable@freebsd.org
Subject:   Re: ipfw with if_bridge oddity
Message-ID:  <Pine.BSF.3.96.1070707180324.4516A-100000@gaia.nimnet.asn.au>
In-Reply-To: <868934.77972.qm@web32811.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 6 Jul 2007, Dave McCammon wrote:

 > I can't seem to grasp why this is working differently.
 > FreeBSD 6.2 using ipfw + if_bridge
 > 
 > LAN -- em1(if_bridge + ipfw)em0 -- internet
 > 
 > I am at xx.xx.16.6 and try to ping say www.yahoo.com
 > 
 > in ruleset:
 > 1100 allow icmp from any to xx.xx.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
 > 2100 allow ip from xx.xx.16.0/27 to any in via em1

Seeing noone more knowledgeable has had a go, and with the caveat that
I've never setup an if_bridge(4) but still maintain a bridge(4)+ipfw ..

Rule 2100 lets your ping in, and 1100 allows the response (in and out)

 > gets dropped by following rule as shown in logs:
 > 
 > 4700 deny log ip from any to any
 > 
 > Log entry: ipfw: 4700 Deny ICMP:8.0 xx.xx.16.6 69.147.114.210 out via em0

Denied because you have no rule letting it go out, it seems.

 > If I add this rule all works great:
 > 
 > 2101 allow icmp from xx.xx.16.0/27 to any recv em1

Which allows it both in and out (neither specified)

 > Why would the "recv em1" work and the "in via em1" get blocked?
 > 
 > I just changed from using bridge(4) to if_bridge using the same ruleset.

Only inbound bridged packets are passed to ipfw from bridge(4) .. once
allowed in, they go out.  My reading of if_bridge(4) suggests that ipfw
(etc) may also be examining outbound bridged packets, depending on the
sysctls.  How have you got the sysctls mentioned in if_bridge(4) set?

 > The rest of my ruleset seems to be working fine but this problem is causing me a little paranoia
 > about the effectiveness of the firewall.
 > 
 > Also, should I still be seeing "deny (snip) in via bridge0" messages in by logs
 > if I have this set "net.link.bridge.pfil_bridge: 0"?

Dunno.

Cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1070707180324.4516A-100000>