From owner-freebsd-ipfw@FreeBSD.ORG  Thu Sep  4 11:47:53 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EC20416A4BF
	for <freebsd-ipfw@freebsd.org>; Thu,  4 Sep 2003 11:47:53 -0700 (PDT)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7168043F85
	for <freebsd-ipfw@freebsd.org>; Thu,  4 Sep 2003 11:47:53 -0700 (PDT)
	(envelope-from billf@elvis.mu.org)
Received: by elvis.mu.org (Postfix, from userid 1098)
	id 6827F2ED43F; Thu,  4 Sep 2003 11:47:53 -0700 (PDT)
Date: Thu, 4 Sep 2003 11:47:53 -0700
From: Bill Fumerola <billf@FreeBSD.org>
To: Sten Daniel S?rsdal <sten.daniel.sorsdal@wan.no>
Message-ID: <20030904184753.GB57940@elvis.mu.org>
References: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net>
User-Agent: Mutt/1.4.1i
X-Operating-System: FreeBSD 4.8-MUORG-20030805 i386
cc: freebsd-ipfw@freebsd.org
Subject: Re: verrevpath - denies local multicast. Is this intended?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2003 18:47:54 -0000

On Fri, Aug 29, 2003 at 02:45:55PM +0200, Sten Daniel S?rsdal wrote:
> 
> when using verrevpath it seems to drop local multicast packets suck as RIP2.
> i use it as suggested; deny log ip from any to any not verrevpath
> 
> logentry:
> Aug 29 14:32:08 <security.info> fictious /kernel: ipfw: 1011 Deny UDP 80.86.140.54:520 224.0.0.9:520 in via fxp1
> 
>  does this mean it should deny multicast and broadcasts or that it really should 
>  verify that the multicast path is correct? 

i won't speak to what it should do, but...

just add a specific rule before '1011' that allows rip2 traffic to that
multicast addr. use 224.0.0.0/4 if you don't want to deal with it again.


-- 
- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org