Date: Fri, 09 Jan 2004 09:27:40 +0800 From: Ganbold <ganbold@micom.mng.net> To: msch@snafu.de Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw on a bridge Message-ID: <6.0.1.1.2.20040109092421.02a583d8@202.179.0.80> In-Reply-To: <E1AebIa-0004or-00@smart.eusc.inter.net> References: <E1AebIa-0004or-00@smart.eusc.inter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I also have bridge ipfw2 on FreeBSD 5.2-current.
And following rule passes arp requests.
# pass ARP
${fwcmd} add 3000 allow layer2 mac-type arp
Ganbold
At 10:38 PM 08.01.2004, you wrote:
>Hi,
>
>I'm working on a filtering bridge with ipfw2 on FreeBSD 5.1-RELEASE-p11.
>I made a test-setup consisting of the bridge itself and a test-client
>behind that bridge. 'fxp0' is the outer I/F, 'fxp1' the inner.
>Neither 'fxp0' nor 'fxp1' have an IP-address. 'bge0' is the on-board I/F of
>the bridge-host *with* an IP-addres.
>
>My first test-ruleset for ipfw on the bridge is:
>
>root@fw1.xxx.yyy.zzz - ~
>515 # ipfw list
>00100 check-state
>00200 skipto 3000 ip from any to any layer2
>00300 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state
>00400 allow ip from me to any xmit bge0 keep-state
>03000 allow ip from any to any layer2 not mac-type 0x0800
>03100 allow tcp from any to any in recv fxp1 setup keep-state
>03200 allow udp from any to any in recv fxp1 keep-state
>03300 allow ip from any to any in recv fxp1
>03400 deny log ip from any to any
>65535 deny ip from any to any
>
>Rule 3000 should allow for ARP-requests, but doesn't work as expected.
>I have several questions on that rule:
>
>The original syntax is from the ipfw(8)-manpage and reads as follows:
>
>"allow layer2 not mac-type ip" where 'ip' expands to '0x0800'
>
>Why does "allow layer2 mac-type 0x0806" *not* work, although '0x0806'
>is exactly the MAC-Type for ARP?
>
>Why can I ping the internal client from outside if
>"allow layer2 not mac-type ip" is active, although the ICMP ping-request
>comes to the bridge "in recv fxp0"? If I look at the counters, the 'ping'
>uses rule #3000, although ICMP *is* mac-type 'ip'.
>
>Can someone explain that behaviour? I read 'ipfw(8)' several times as well
>as the article on 'filtering bridges' on freebsd.org. "TCP/IP Illustrated"
>from W.R.Stevens is my best friend :-) but I remain irritated.
>
>Thank's a lot - Matthias
>
>
>_______________________________________________
>freebsd-ipfw@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.1.1.2.20040109092421.02a583d8>