ipfw broken with bridge under 5.x (5.3 and 5.4)
Josef Karthauser
joe at FreeBSD.org
Wed May 4 10:19:52 PDT 2005
On Wed, May 04, 2005 at 06:13:22PM +0100, Gavin Atkinson wrote:
>
> I believe I am seeing similar problems to you, though uptime for me is
> generally measurable in days rather than minutes. I've found that
> adding an explicit "allow all from any to any" and then removing it
> again seems to get it working. I will test your solution when mine
> fails again.
>
> The comment about arp is an interesting one, I will see what I can find
> out. I have however seen situations where (eg) UDP DNS through the
> bridge works but web traffic or terminal services etc may not.
>
> If you want to share firewall rules and other configuration with me
> off-list to see if there are any similarities I'd be happy to help.
>
It appears that the solution is obtained by adding the rule:
allow ip from any to any layer2 mac-type arp
to the beginning of the firewall list. IPFW2 drops non-IP traffic
whereas IPFW1 passes it though. This is the reason why my configuration
stopped working after the upgrade.
Joe
--
Josef Karthauser (joe at tao.org.uk) http://www.josef-k.net/
FreeBSD (cvs meister, admin and hacker) http://www.uk.FreeBSD.org/
Physics Particle Theory (student) http://www.pact.cpes.sussex.ac.uk/
================ An eclectic mix of fact and theory. =================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20050504/4a89aad4/attachment.bin
More information about the freebsd-net
mailing list