Date: Sun, 25 Nov 2001 09:23:17 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Joost Bekkers" <joost@bps.jodocus.org>, "Chuck Root" <puga@mauibuilt.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: RE: IPFW/VLAN Message-ID: <002001c175d5$df44dac0$1401a8c0@tedm.placo.com> In-Reply-To: <20011125102114.A2493@bps.jodocus.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Joost Bekkers >Sent: Sunday, November 25, 2001 1:21 AM >To: Chuck Root >Cc: freebsd-questions@FreeBSD.ORG >Subject: Re: IPFW/VLAN > > >On Fri, Nov 23, 2001 at 10:38:36PM -1000, Chuck Root wrote: >> I am trying to use a freebsd box with 2 fxp NIC's in it as a firewall >> between 2 points on a 802.1q tagged vlan trunk. >> >> I am bridging the interfaces using the BRIDGING option in the kernel and >> I am using ipfw to filter pakets. >> >> The bridge and ipfw work fine with normal pakets but the ones with >> 802.1q tages slip right on by. >> >> is there any way to do this? >> >> I have tried bridging the vlans them selfs with no luck. >> > >The reason why 802.1q packets don't get filtered is this: >The bridge code only sends ip packets through the firewall, all >others (802.1q;ipx;arp;ipv6;....) will be passed no matter what. > Ahem - ARP is an IP protocol... >The reason why you can't bridge the vlan interfaces is because >bridging only works on ethernet interfaces. > >At this point there is nothing you can do about it. (aside from >changing the kernel code) > See http://www.freebsd.org/cgi/getmsg.cgi?fetch=45862+48717+/usr/local/www/db/text /2001/freebsd-stable/20010211.freebsd-stable for a message from one of the kernel developers as to why ipfw cannot filter bridged packets. Consider that ipfw gets it's name from IP = Internet Protocol + FW Firewall. As others have pointed out a program intended for filtering IP packets is not the correct vehicle for filtering bridged packets. There's been periodic interest in writing a bridge filter, however nobody has stepped forward to do the work. I'll point out, though, that hubs that have management and filtering capability built into them are not that expensive. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-- >greetz Joost >joost@jodocus.org > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001c175d5$df44dac0$1401a8c0>