From owner-freebsd-ipfw Sun Oct 13 17:17:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B639537B401 for ; Sun, 13 Oct 2002 17:17:17 -0700 (PDT) Received: from mta3.srv.hcvlny.cv.net (mta3.srv.hcvlny.cv.net [167.206.5.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CB4443EA3 for ; Sun, 13 Oct 2002 17:17:17 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta3.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H3Y007N13G5PG@mta3.srv.hcvlny.cv.net> for freebsd-ipfw@freebsd.org; Sun, 13 Oct 2002 20:16:58 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9E0HBEd012833 for ; Sun, 13 Oct 2002 20:17:11 -0400 (EDT envelope-from agapon@excite.com) Date: Sun, 13 Oct 2002 20:17:11 -0400 (EDT) From: Andriy Gapon Subject: ip broadcast bridging X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org Message-id: <20021013194727.Q12422-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It looks like broadcast packets are not always bridged correctly. I have a host that used to be a gateway between 3 LANs, then I changed it to do briding between two of them (one interface kept its ip address, the other got none) and to be a gateway to the third one and until recently I haven't bothered to change firewall rules on that bridge/gateway. I got a bit puzzled when I noticed that firewall has matches for the rules applicable only to the bridged interface without an ip address. Of course I wouldn't be surpised if I hadn't net.link.ether.bridge_ipfw: 0 My understanding that in this situation bridging should happen before ipfw check and thus ipfw should not see any ip packets on the interface without ip address. After enabling logging for the rules in question it looks like only broadcast packets of the bridged subnet originating from LAN connected to ip-address-less interface get matched. Using tcpdump I see that there is nothing wrong with the packets i.e. they have correct ip and ether source addresses and correct destination: broadcast ip address of the subnet and ff:ff:ff:ff:ff:ff ethernet address. I have 4.7-RELEASE and ipfw2 on the bridge/gateway. Sorry if this is not the most appropiate place to discuss this topic. -- Andriy Gapon * "I do not know myself, and God forbid that I should." Johann Wolfgang von Goethe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message