Skip site navigation (1)Skip section navigation (2)
Date:      21 Feb 2002 10:57:39 -0800
From:      Mike Jackson <mjackson@willamette.net>
To:        freebsd-questions@FreeBSD.ORG
Subject:   4.5REL netgraph/bridging/ipfw interaction question
Message-ID:  <1014317859.65133.31.camel@perseus.willamette.net>

next in thread | raw e-mail | index | archive | help
As they say, long time reader, first time poster, so if I'm not doing
this correctly, please refrain from flaming...

I'm the tech support/sys admin person for a small ISP. For the last
couple months I've been maintaining our firewall. Previous to the
release of 4.5-REL, it was running 4.4-REL, but I figured I'd upgrade
since there were supposed to be improvements to the TCP stack. The
machine has three Netgear FA310X NICs in it, dc0-2. dc0 is set up with
an IP, while the other two were bridged via the sysctl.conf file and
firewall functions were handled by ipfw. Under 4.4 this worked fine, but
when I installed 4.5 and moved over the config files (same rc.conf and
sysctl.conf) it seemed to ignore the bridging configuration altogether
and simply bridged all three interfaces. I figured out a workaround
using netgraph and the /usr/share/examples/netgraph/ether.bridge script
(only change I made was changing the interface names). (BTW, the
documentation and release notes say there were some changes to the
bridging code in 4.5, but they don't say WHAT changed...very annoying.)
This worked fine for a while, but about two weeks ago it seems ipfw
mysteriously stopped filtering the bridged traffic on dc1 and dc2, but
it appears to still be filtering dc0 (the non-bridged, IPed interface)
and the bridged traffic was still being passed sans filtering. It had
been working, because I could see in the security log that it had been
and I had been checking the "ipfw show" output periodically. To my
knowledge no changes were made to the system around the time it stopped
filtering; the last changes anywhere had been made over seven days
before it stopped filtering.

So, my questions are:

1) Do netgraph bridging and ipfw play nicely together under 4.5?
2) Why doesn't bridging work the same via sysctl under 4.5 as it did
under 4.4?
3) Any idea why it would just suddenly stop filtering the bridged
interfaces?

I can provide specific configuration examples if it would be helpful,
though naturally I'm a bit reluctant considering it's supposed to be our
first line of defense. I'm working on a make world with CVSUPed stable
source to see if rebuilding things will help. Any other suggestions
would be most helpful, and TIA.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1014317859.65133.31.camel>