Date: Thu, 8 Jan 2004 14:38:12 GMT From: msch@snafu.de To: freebsd-ipfw@freebsd.org Subject: ipfw on a bridge Message-ID: <E1AebIa-0004or-00@smart.eusc.inter.net>
next in thread | raw e-mail | index | archive | help
Hi, I'm working on a filtering bridge with ipfw2 on FreeBSD 5.1-RELEASE-p11. I made a test-setup consisting of the bridge itself and a test-client behind that bridge. 'fxp0' is the outer I/F, 'fxp1' the inner. Neither 'fxp0' nor 'fxp1' have an IP-address. 'bge0' is the on-board I/F of the bridge-host *with* an IP-addres. My first test-ruleset for ipfw on the bridge is: root@fw1.xxx.yyy.zzz - ~ 515 # ipfw list 00100 check-state 00200 skipto 3000 ip from any to any layer2 00300 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state 00400 allow ip from me to any xmit bge0 keep-state 03000 allow ip from any to any layer2 not mac-type 0x0800 03100 allow tcp from any to any in recv fxp1 setup keep-state 03200 allow udp from any to any in recv fxp1 keep-state 03300 allow ip from any to any in recv fxp1 03400 deny log ip from any to any 65535 deny ip from any to any Rule 3000 should allow for ARP-requests, but doesn't work as expected. I have several questions on that rule: The original syntax is from the ipfw(8)-manpage and reads as follows: "allow layer2 not mac-type ip" where 'ip' expands to '0x0800' Why does "allow layer2 mac-type 0x0806" *not* work, although '0x0806' is exactly the MAC-Type for ARP? Why can I ping the internal client from outside if "allow layer2 not mac-type ip" is active, although the ICMP ping-request comes to the bridge "in recv fxp0"? If I look at the counters, the 'ping' uses rule #3000, although ICMP *is* mac-type 'ip'. Can someone explain that behaviour? I read 'ipfw(8)' several times as well as the article on 'filtering bridges' on freebsd.org. "TCP/IP Illustrated" from W.R.Stevens is my best friend :-) but I remain irritated. Thank's a lot - Matthias
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1AebIa-0004or-00>