From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 30 05:29:22 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CFA4A7F6 for ; Tue, 30 Sep 2014 05:29:22 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47FEEC34 for ; Tue, 30 Sep 2014 05:29:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s8U5TCpK073373; Tue, 30 Sep 2014 15:29:12 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 30 Sep 2014 15:29:11 +1000 (EST) From: Ian Smith To: Jack Barber Subject: Re: trouble with ipfw on FreeBSD 10 In-Reply-To: <5429F7A6.3060701@nyi.net> Message-ID: <20140930150819.Y48482@sola.nimnet.asn.au> References: <5429F7A6.3060701@nyi.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 05:29:22 -0000 On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote: > We are having trouble getting ipfw to work over a bridged interface. > > for example: > > machine 1 -> Bridged interface FreeBSD 10 -> machine 2. > > machine 1 - 192.168.20.20 > machine 2 - 192.168.20.25 > > now I set something like this in /etc/ipfw.rules: > > $IPFWcmd add deny all from 192.168.20.20/24 to any > $IPFWcmd add deny all from any to 192.168.20.20/24 > > where both machine 1 and machine 2 are on said subnet and already work. Please confirm that these two are only connected via two interfaces on the bridge/ipfw box, with no switch involved? And that these rules, once working, should deny traffic between ANY hosts in this /24 subnet? > when I reload the rules, I am unable to stop a connection between > machine 1 and machine 2. > > I've already made sure that ipfw is running(loaded), and the rules > appear to take, and even show up with "ipfw show". > > # ipfw show > ... > 01700 0 0 deny ip from 192.168.20.0/24 to any > 01800 0 0 deny ip from any to 192.168.20.0/24 > 65535 9227 11389032 allow ip from any to any > > However, there is no effect on data travelling over the pipe at all. > > This setup was confirmed many times to work with FreeBSD 9.2, but it > does not work on 10. any help is appreciated. What values are set for these sysctls? net.link.ether.ipfw: 0 Controls whether layer-2 packets are passed to ipfw. Default is no. net.link.bridge.ipfw: 0 Controls whether bridged packets are passed to ipfw. Default is no. cheers, Ian