Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 Jul 2007 08:52:39 -0700 (PDT)
From:      Dave McCammon <davemac11@yahoo.com>
To:        questions@freebsd.org
Subject:   if_bridge and ipfw
Message-ID:  <531110.80275.qm@web32803.mail.mud.yahoo.com>

Next in thread | Raw E-Mail | Index | Archive | Help
I can't seem to grasp why this is working differently.
FreeBSD 6.2 using ipfw + if_bridge

LAN -- em1(if_bridge + ipfw)em0 -- internet

so I am at 10.10.16.6 and try to ping say www.yahoo.com

in ruleset:
1100 allow icmp from any to 10.10.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
2100 allow ip from 10.10.16.0/27 to any in via em1

gets dropped by following rule as shown in logs:

4700 deny log ip from any to any

Log entry: ipfw: 4700 Deny ICMP:8.0 10.10.16.6 69.147.114.210 out via em0

If I add this rule all works great:

2101 allow icmp from 10.10.16.6 to any icmptypes 8

My confusion is shouldn't the icmp be allowed in rule 2100? Or is it with if_bridge I have to make a rule for
both interfaces.


The rule "2100 allow ip from 10.10.16.0/27 to any in via em1" allowed the icmp passage,
out of em0 through the bridge in 6.2 using bridge(4).

This entire ruleset is the same with if_bridge as has been working with bridge(4).
I just moved to if_bridge since the bridge(4) is obsolete.

Thanks for your help.
dave






       
____________________________________________________________________________________
Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?531110.80275.qm>