FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault?

Andrew Seguin asegu at borgtech.ca
Fri Dec 17 01:48:34 PST 2004 

My apologies: Sometimes I feel just so stupid... hitting reply replies to me
instead of the list. Ooops!

-----Original Message-----
From: Andrew Seguin [mailto:asegu at borgtech.ca] 
Sent: Friday, December 17, 2004 10:16 AM
To: 'Andrew Seguin'
Subject: RE: Curiosity in IPFW/Freebsd bridge. [more]

Ok, through all my bugging of you all, I just want to mention that I am
still working at my own end to figure this out..

I've used tcpdump to capture a sample of all traffic for each nic (tcpdump
-s 1500 -i fxp1 -c 1000 -w tcpdump.fxp1), which I am now looking at in
ethereal.

So my initial observation: traffic flowing through the bridge doesn't
filter, while on the console access nic, it does.

Looking through the ethereal dumps, I have spotted one difference.

Packets for the console look like this:
  Frame 1 (106 bytes on wire, 106 bytes captured)
  Ethernet II, Src: MAC1, Dst: MAC2
  Internet Protocol, Src Addr: MyPC, Dst Addr: FIREWALL
  SSH Protocol

Packets from the bridge look like this:
  Frame 1 (64 bytes on wire, 64 bytes captured)
  Ethernet II, Src: MAC1, Dst: MAC2
  802.1q Virtual LAN
  Internet Protocol, Src Addr: x, Dst Addr: y
  Transmission Control Protocol, ...


So it would seem that the part "802.1q Virtual LAN" in the protocol is
stopping IPFW from investigating the traffic? (At times like this I wish I
would have not studied computer engineering but networking for 4 years!).

Question then:
  What in IPFW is stopping it from reading into a VLAN tagged packet (if it
is such that it can be called).

All help and pointers (especially to documentation) would be highly
appreciated!


-----Original Message-----
From: Andrew Seguin [mailto:asegu at borgtech.ca] 
Sent: Friday, December 17, 2004 8:27 AM
To: 'Andrew Seguin'
Subject: RE: Curiosity in IPFW/Freebsd bridge. [more]


I have done a bit of further research and I have to question myself what is
going on.

I set the system back up with only two nics in use, and put an IP address up
on one side only, nothing different.

Back to the three nic setup: Four rules:
1 allow ip from any to LOCALIP 22
10 allow tcp from any to any
11 allow udp from any to any
100 allow log ip from any to any

The counts climb very very slowly for rules 10/11 (maybe 100bytes/min?)
while rule 100 increases at the rate of approximately 2-3MB/min. On the
bridge, only MAC traffic is seen.

looking at the logs (I put in a 1000 allow log ip from any to any) and I saw
" Accept MAC in via fxp1", "Accept MAC in via fxp0", repeated many times
over.

Googling I've found this unanswered post which seems to be exact same
problem as for me:
http://lists.freebsd.org/pipermail/freebsd-questions/2004-August/056397.html

This question that is only so so related (person doesn't complain about it
being a problem, only wants to log):
http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2004-04/1680.html

So I am wondering what am I missing? What is going on?

Is this a problem in Freebsd-5, should I rebuild to freebsd 4?

Well, sorry to keep buggin this list with a "simple" firewall bridge, but
the problems haven't been simple to me to date. I am very grateful for all
of you helping here!

Andrew.


-----Original Message-----
From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd-net at freebsd.org]
On Behalf Of Andrew Seguin
Sent: Thursday, December 16, 2004 11:51 PM
To: freebsd-net at freebsd.org
Subject: Curiosity in IPFW/Freebsd bridge.

Hello, First off, a great thanks to this list who pointed out my hardware
issue (rl series cards). I now have the bridge on two Intel Pro NICS and I
use the on-board sis card for console access, and my average ping time is a
2ms average to the router, passing about a solid 2MB/s.

 

My current situation is that it seems IPFW is filtering by IP address, but
never matching an IP address/Port number combo (ex: “deny ip from IP to any”
works, but “deny ip from IP to any 80” does not work).

 

The firewall rules are as follows:

#1. Allow all SSH traffic until rules are down safe.

ipfw add 1 allow ip from any to LOCAL_IP 22

#ipfw add 100 TEST (either “deny ip from any to any” or “deny ip from any to
any 80”).

ipfw add 500 pipe 1 ip from any to any

ipfw pipe 1 config bw 20480Kbit/s

default> allow ip from any to any

 

The setup is as follows in rc.conf:

Ifconfig_fxp0=”up”

Ifconfig_fxp1=”up”

Ifconfig_sis0=”LOCAL_IP…”

 

And in sysctl.conf:

net.link.ether.bridge.enable=1

net.link.ether.bridge.config=fxp0,fxp1

net.link.ether.bridge.ipfw=1

 

Kernel has been built with IPFW and DUMMYNET. Freebsd 5.3 (RELENG_5,
cvsupdated and recompiled about a week ago).

 

The server was working fine when I had it filtering between two switches
(secondary to primary). I was having web/email/irc traffic bypass the pipe,
and used the pipe to limit the speed of those who use P2P. Now, I have this
situation with the firewall between the main switch and the router.

I really need to get this working for this purpose again fast or else I’ll
have a repeat of an earlier “internal” DoS, so any and all tips, comments,
pointers would be greatly appreciated!

 

I wonder if it is because I haven’t assigned an IP address on the fxp facing
the inside network…? Haven’t had the time to try this yet (11:50pm local
time!) since I don’t remember which fxp card is facing internal/external and
so I will try in the morning.

 

Again, many thanks!

Andrew Seguin

 

 


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004
 
_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"


-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004
 



-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004
 



-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004

More information about the freebsd-net mailing list