Bridge
Andrew Thompson
thompsa at freebsd.org
Wed Sep 13 21:20:15 PDT 2006
On Wed, Sep 13, 2006 at 08:19:41PM +0200, Jon Otterholm wrote:
> Hi.
>
> According to man if_bridge one could filter L2-traffic with ipfw:
>
> From man if_bridge:
> ARP and REVARP packets are forwarded without being filtered and others
> that are not IP nor IPv6 packets are not forwarded when pfil_onlyip is
> enabled. IPFW can filter Ethernet types using mac-type so all packets
> are passed to the filter for processing.
>
> ARP is still forwarded though I have the following config:
>
> I have the following sysctl set:
>
> net.link.bridge.ipfw: 1
> net.link.bridge.pfil_member: 1
> net.link.bridge.pfil_bridge: 1
> net.link.bridge.pfil_onlyip: 1
>
> ipfw list:
>
> 65533 deny ip from any to any MAC any any
> 65534 deny ip from any to any layer2
> 65535 deny ip from any to any
The check for ARP happens before the ipfw layer2 code so it isnt
currently possible to filter them.
switch (ether_type) {
case ETHERTYPE_ARP:
case ETHERTYPE_REVARP:
return (0); /* Automatically pass */
You are the second person in so many days to ask this, is it something
that should be changed?
Andrew
More information about the freebsd-net
mailing list