Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 Jul 2007 08:52:39 -0700 (PDT)
From:      Dave McCammon <>
Subject:   if_bridge and ipfw
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
I can't seem to grasp why this is working differently.
FreeBSD 6.2 using ipfw + if_bridge

LAN -- em1(if_bridge + ipfw)em0 -- internet

so I am at and try to ping say

in ruleset:
1100 allow icmp from any to{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
2100 allow ip from to any in via em1

gets dropped by following rule as shown in logs:

4700 deny log ip from any to any

Log entry: ipfw: 4700 Deny ICMP:8.0 out via em0

If I add this rule all works great:

2101 allow icmp from to any icmptypes 8

My confusion is shouldn't the icmp be allowed in rule 2100? Or is it with if_bridge I have to make a rule for
both interfaces.

The rule "2100 allow ip from to any in via em1" allowed the icmp passage,
out of em0 through the bridge in 6.2 using bridge(4).

This entire ruleset is the same with if_bridge as has been working with bridge(4).
I just moved to if_bridge since the bridge(4) is obsolete.

Thanks for your help.

Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.

Want to link to this message? Use this URL: <>