ipfw tags & filtering incoming broadcasts
Eugene Grosbein
eugen at grosbein.pp.ru
Wed Apr 11 16:21:04 UTC 2007
On Wed, Apr 11, 2007 at 08:47:21AM -0700, Julian Elischer wrote:
> the MAC or layer2 commands are only useful if you are calling the
> firewall from the NIC layer..
> have you turned on the layer 2 entrypoints?
>
> sysctl net.link.ether.{something} (I forget exactly)
It's net.link.ether.ipfw, and yes, I turned this on,
or else rule 40 wouldn't match a packet but it does
as I noted:
> >ipfw add 40 allow ip from any to any layer2
> >ipfw add 50 count log ip from any to any tagged 1
> >
> >I hoped that rule 30 would tag all broadcasts with tag 1 during layer2
> >filtering pass and it'd keep its tag during layer3 filtering but it seems
> >it doesn't. If I send a broadcast with ping <IP-broadcast>
> >I see that rules 30 and 40 match this outgoing broadcast
> >but rule 50 does not.
Eugene
More information about the freebsd-net
mailing list