ipfw on a bridge

Ganbold ganbold at micom.mng.net
Thu Jan 8 17:23:54 PST 2004 

Hi,

I also have bridge ipfw2 on FreeBSD 5.2-current.
And following rule passes arp requests.

# pass ARP
${fwcmd} add 3000 allow layer2 mac-type arp

Ganbold


At 10:38 PM 08.01.2004, you wrote:
>Hi,
>
>I'm working on a filtering bridge with ipfw2 on FreeBSD 5.1-RELEASE-p11.
>I made a test-setup consisting of the bridge itself and a test-client
>behind that bridge. 'fxp0' is the outer I/F, 'fxp1' the inner.
>Neither 'fxp0' nor 'fxp1' have an IP-address. 'bge0' is the on-board I/F of
>the bridge-host *with* an IP-addres.
>
>My first test-ruleset for ipfw on the bridge is:
>
>root at fw1.xxx.yyy.zzz - ~
>515 # ipfw list
>00100 check-state
>00200 skipto 3000 ip from any to any layer2
>00300 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state
>00400 allow ip from me to any xmit bge0 keep-state
>03000 allow ip from any to any layer2 not mac-type 0x0800
>03100 allow tcp from any to any in recv fxp1 setup keep-state
>03200 allow udp from any to any in recv fxp1 keep-state
>03300 allow ip from any to any in recv fxp1
>03400 deny log ip from any to any
>65535 deny ip from any to any
>
>Rule 3000 should allow for ARP-requests, but doesn't work as expected.
>I have several questions on that rule:
>
>The original syntax is from the ipfw(8)-manpage and reads as follows:
>
>"allow layer2 not mac-type ip" where 'ip' expands to '0x0800'
>
>Why does "allow layer2 mac-type 0x0806" *not* work, although '0x0806'
>is exactly the MAC-Type for ARP?
>
>Why can I ping the internal client from outside if
>"allow layer2 not mac-type ip" is active, although the ICMP ping-request
>comes to the bridge "in recv fxp0"? If I look at the counters, the 'ping'
>uses rule #3000, although ICMP *is* mac-type 'ip'.
>
>Can someone explain that behaviour? I read 'ipfw(8)' several times as well
>as the article on 'filtering bridges' on freebsd.org. "TCP/IP Illustrated"
>from W.R.Stevens is my best friend :-) but I remain irritated.
>
>Thank's a lot - Matthias
>
>
>_______________________________________________
>freebsd-ipfw at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list