ipfw and bridging [was: pf and bridging]
Chuck Swiger
cswiger at mac.com
Sat Dec 4 06:41:21 PST 2004
Ian Smith wrote:
[ ... ]
> Read those ones for interest, but it leaves me wondering: can you use
> stateful filtering in ipfw, then? (here ipfw1 on a 4.8-RELEASE box with
> BRIDGE in kernel so far, but I imagine this would apply also to ipfw2?)
Yes, you ought to be able to perform stateful packet filtering with either
ipfw1 or 2.
> I'm aware that one can only filter incoming packets, so I've always
> wondered whether stateful rules made any sense in a bridge context?
A firewall filters packets which pass through it (ie, either via routing,
bridging, or whatever the topology is). Yes, you can do stateful filtering on
a bridge but you need to pay attention to the fact that you have both layer-2
and layer-3 traffic involved. You also need to enable a sysctl to have IPFW
apply its rules to bridged traffic.
--
-Chuck
More information about the freebsd-net
mailing list