Date: Mon, 13 Apr 2009 18:07:47 +0700 From: =?koi8-r?Q?=F0=C1=D7=C5=CC.?= <buffoon2001@mail.ru> To: freebsd-questions@freebsd.org Subject: problem with bridge + ipfw Message-ID: <E1LtK0x-000325-00.buffoon2001-mail-ru@f102.mail.ru>
next in thread | raw e-mail | index | archive | help
Hi!
I have faced such problem: Has established the bridge on FreeBSD 6.3 and the module if_bridge. But at me the traffic passing through the bridge is not filtered. Here so all looks:
Code:
#ifconfig
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 00:a0:c9:65:c1:35
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 00:90:27:85:b7:95
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 4c:00:10:60:67:ca
media: Ethernet autoselect
status: no carrier
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 192.168.5.28 netmask 0xffffff00 broadcast 192.168.5.255
ether 00:0f:ea:f9:a6:ff
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether b6:c3:a2:cc:06:65
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: fxp1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: fxp0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
#sysctl -a |grep bridge
net.link.ether.bridge_cfg:
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipf: 0
net.link.ether.bridge.config:
net.link.ether.bridge.enable: 0
net.link.ether.bridge.predict: 0
net.link.ether.bridge.dropped: 0
net.link.ether.bridge.packets: 0
net.link.ether.bridge.ipfw_collisions: 0
net.link.ether.bridge.ipfw_drop: 0
net.link.ether.bridge.copy: 0
net.link.ether.bridge.ipfw: 1
net.link.ether.bridge.ipf: 0
net.link.ether.bridge.debug: 0
net.link.ether.bridge.version: 031224
net.link.bridge.pfil_onlyip: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_local_phys: 1
net.link.bridge.log_stp: 0
net.link.bridge.ipfw: 1
#ipfw show
ipfw show
00100 0 0 allow ip from 85.159.31.54 to any layer2 via bridge0
00200 6 5885 allow ip from 85.159.31.54 to any layer2
00300 0 0 allow ip from 85.159.31.54 to any layer2 via fxp1
00400 0 0 allow ip from 85.159.31.54 to any layer2 via fxp0
00500 0 0 allow ip from 85.159.31.54 to any via fxp0
00600 0 0 allow ip from 85.159.31.54 to any layer2 via bridge0 mac-type 0x8100
00700 0 0 allow ip from 85.159.31.54 to any via bridge0 mac-type 0x8100
00800 0 0 allow ip from 85.159.31.54 to any via fxp0 mac-type 0x8100
00900 0 0 allow ip from 85.159.31.54 to any via fxp1 mac-type 0x8100
01000 0 0 allow ip from 85.159.31.54 to any via bridge0 layer2 MAC any any mac-type 0x8100
01100 0 0 allow ip from 85.159.31.54 to any via bridge0 MAC any any mac-type 0x8100
01200 0 0 allow ip from 85.159.31.54 to any via bridge0 mac-type 0x8100
01300 10874732 657168582 count ip from any to any layer2 via bridge0
01400 82562 7154845 count ip from any to any not layer2 via bridge0
01500 10611069 640854269 count ip from any to any layer2 via bridge0 mac-type 0x8100
01600 77929 6682967 count ip from any to any layer2 via bridge0 mac-type 0x0800
01700 0 0 count ip from any to any not layer2 via bridge0 mac-type 0x8100
01800 0 0 count ip from any to any not layer2 via bridge0 mac-type 0x0800
01900 0 0 count ip from any to any not layer2 via bridge0 mac-type 0x8100
02000 0 0 count ip from 85.159.31.54 to any layer2 via bridge0 mac-type 0x8100
02100 0 0 count ip from 85.159.31.54 to any layer2 via bridge0 mac-type 0x0800
02200 0 0 count ip from 85.159.31.54 to any not layer2 via bridge0 mac-type 0x8100
02300 0 0 count ip from 85.159.31.54 to any not layer2 via bridge0 mac-type 0x0800
02400 640285 437872365 count ip from any to any layer2 via fxp0
02500 4019 426922 count ip from any to any not layer2 via fxp0
02600 621668 426064356 count ip from any to any layer2 via fxp0 mac-type 0x8100
02700 1091 142307 count ip from any to any layer2 via fxp0 mac-type 0x0800
02800 0 0 count ip from any to any not layer2 via fxp0 mac-type 0x8100
02900 0 0 count ip from any to any not layer2 via fxp0 mac-type 0x0800
65535 146210062 61716361162 allow ip from any to any
The scheme of connection:
<--cisco-trunk--><--bridge--><--cisco-trunk-->
how you can see most packedges do not upper layer2. I wish to know, how I can filter them? If i use instead of one Catalyst simple hub, packages are filtered. In what there can be a problem?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1LtK0x-000325-00.buffoon2001-mail-ru>