Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Sep 2001 09:15:54 -0500 (EST)
From:      Chris Hardie <>
To:, <>
Subject:   net.inet.ip.fw.one_pass=0 not effective in filtering bridge?
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

Hi.  I've got a filtering bridge running on FreeBSD 4.3 with ipfw and
a customized rc.firewall config.  The setup has been working well for
a while now.  I was unfortunately alerted to a hole after a box behind
the firewall was cracked because ports that I thought were

It turns out that traffic to/from the machine in question was being
passed through a pipe early in the rc.firewall config, and that the
ipfw processing terminated when the packets came out of the pipe, so
they never saw the rules farther down that would have dropped those
packets headed for bad places.

A-ha!  "Easy" you say - just do
   sysctl -w net.inet.ip.fw.one_pass=0
and according to the ipfw man page, that will cause the packets to be
re-injected into the firewall when they come out of the pipe, starting
where they left off.  Well, this just doesn't seem to be taking

I've crawled through docs and mailing lists.  Setting
net.inet.ip.fw.one_pass seems to be the common solution, but a few
other people have mentioned the same ineffectiveness of that, and then
those threads just drop off.  So I'm wondering if it's possible that,
because the kernel is compiled with "options BRIDGE", that packets are
strictly only going through the firewall rules once, and that
net.inet.ip.fw.one_pass=0 isn't having an effect in this case?

If my wondering is in error, I'm looking for suggestions about how to
verify the behavior I'm seeing and how to achieve the desired result: to
use pipes AND deny rules that come after.  I'm happy to send along the
particular rules, but wanted to see if the question could be answered
using theory first.

(This message addresses an issue similar to but separate from the "ipfw"
thread on freebsd-questions started by Rick Norman on Sep 18. I also
posted this message there.)

Any help is much appreciated.


-- Chris Hardie -----------------------------
----- ----------
-------- --

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>