Date: Mon, 6 Dec 2004 00:49:55 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-net@freebsd.org Subject: Re: ipfw and bridging [was: pf and bridging] Message-ID: <Pine.BSF.3.96.1041206004306.13909C-100000@gaia.nimnet.asn.au> In-Reply-To: <41B1CC8A.6090509@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 4 Dec 2004, Chuck Swiger wrote: > Ian Smith wrote: > [ ... ] > > Read those ones for interest, but it leaves me wondering: can you use > > stateful filtering in ipfw, then? (here ipfw1 on a 4.8-RELEASE box with > > BRIDGE in kernel so far, but I imagine this would apply also to ipfw2?) > > Yes, you ought to be able to perform stateful packet filtering with either > ipfw1 or 2. Thanks for that, Chuck. It did seem to be working, so I'd assumed that ipfw stateful inspection must only be on inbound packets, for bridged packets at least. > > I'm aware that one can only filter incoming packets, so I've always > > wondered whether stateful rules made any sense in a bridge context? > > A firewall filters packets which pass through it (ie, either via routing, > bridging, or whatever the topology is). Yes, you can do stateful filtering on > a bridge but you need to pay attention to the fact that you have both layer-2 > and layer-3 traffic involved. You also need to enable a sysctl to have IPFW > apply its rules to bridged traffic. Indeed. Now I'm curious; must find some time to look at the code a bit. Cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1041206004306.13909C-100000>