ipfw tags & filtering incoming broadcasts
Eugene Grosbein
eugen at grosbein.pp.ru
Wed Apr 11 14:57:14 UTC 2007
Hi!
I have a router based on FreeBSD 6 running quagga/RIPv2
and want to filter all incoming packets sent to it (not forwarded throught it)
with a small set of exceptions. This router uses ipfw for packet filtering.
There is no problem to filter unicasts. But I want also block all
broadcasts except of incoming RIPv2, some of hardware
routers send broadcasts instead of multicasts here.
I've tried this way:
ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any
ipfw add 40 allow ip from any to any layer2
ipfw add 50 count log ip from any to any tagged 1
I hoped that rule 30 would tag all broadcasts with tag 1 during layer2
filtering pass and it'd keep its tag during layer3 filtering but it seems
it doesn't. If I send a broadcast with ping <IP-broadcast>
I see that rules 30 and 40 match this outgoing broadcast
but rule 50 does not. Am I doing something wrong or
is this behavour by design or is this a bug that deserve a PR?
Eugene Grosbein
More information about the freebsd-net
mailing list