From owner-freebsd-questions Thu Feb 21 10:57:44 2002 Delivered-To: freebsd-questions@freebsd.org Received: from perseus.willamette.net (perseus.willamette.net [207.189.128.11]) by hub.freebsd.org (Postfix) with ESMTP id 516F637B417 for ; Thu, 21 Feb 2002 10:57:39 -0800 (PST) Received: (from root@localhost) by perseus.willamette.net (8.11.6/8.11.6) id g1LIvds65193; Thu, 21 Feb 2002 10:57:39 -0800 (PST) (envelope-from mjackson@willamette.net) Subject: 4.5REL netgraph/bridging/ipfw interaction question From: Mike Jackson To: freebsd-questions@FreeBSD.ORG Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2 Date: 21 Feb 2002 10:57:39 -0800 Message-Id: <1014317859.65133.31.camel@perseus.willamette.net> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG As they say, long time reader, first time poster, so if I'm not doing this correctly, please refrain from flaming... I'm the tech support/sys admin person for a small ISP. For the last couple months I've been maintaining our firewall. Previous to the release of 4.5-REL, it was running 4.4-REL, but I figured I'd upgrade since there were supposed to be improvements to the TCP stack. The machine has three Netgear FA310X NICs in it, dc0-2. dc0 is set up with an IP, while the other two were bridged via the sysctl.conf file and firewall functions were handled by ipfw. Under 4.4 this worked fine, but when I installed 4.5 and moved over the config files (same rc.conf and sysctl.conf) it seemed to ignore the bridging configuration altogether and simply bridged all three interfaces. I figured out a workaround using netgraph and the /usr/share/examples/netgraph/ether.bridge script (only change I made was changing the interface names). (BTW, the documentation and release notes say there were some changes to the bridging code in 4.5, but they don't say WHAT changed...very annoying.) This worked fine for a while, but about two weeks ago it seems ipfw mysteriously stopped filtering the bridged traffic on dc1 and dc2, but it appears to still be filtering dc0 (the non-bridged, IPed interface) and the bridged traffic was still being passed sans filtering. It had been working, because I could see in the security log that it had been and I had been checking the "ipfw show" output periodically. To my knowledge no changes were made to the system around the time it stopped filtering; the last changes anywhere had been made over seven days before it stopped filtering. So, my questions are: 1) Do netgraph bridging and ipfw play nicely together under 4.5? 2) Why doesn't bridging work the same via sysctl under 4.5 as it did under 4.4? 3) Any idea why it would just suddenly stop filtering the bridged interfaces? I can provide specific configuration examples if it would be helpful, though naturally I'm a bit reluctant considering it's supposed to be our first line of defense. I'm working on a make world with CVSUPed stable source to see if rebuilding things will help. Any other suggestions would be most helpful, and TIA. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message