ipfw,
"ip|all" proto and PPPoE -- does PPPoE packets passed to ipfw?
Lev Serebryakov
lev at FreeBSD.org
Wed Aug 29 18:31:31 UTC 2012
Hello, Michael.
You wrote 29 августа 2012 г., 19:01:08:
>> I have interface (vr1), most of traffic on which is PPPoE. I have ipfw
>> firewall, which splits traffic by interfaces via:
>>
>> add 2000 skipto 5000 all from any to any via em0
>> add 2010 skipto 7000 all from any to any via wlan0
>> add 2020 skipto 11000 all from any to any via vr1
>> add 2030 skipto 13000 all from any to any via ng0
>> add 2040 skipto 15000 ipv6 from any to any via gif0
>> add 2999 deny all from any to any
>> ...
>> And later here are some basic checks, nat, "check-state" and some
>> stateful rules.
MS> Consider separating traffic not only by interface but also direction
It is done in rules 1000 and 1010, 2xxx is for incoming, 3xxx for
outgoing. It is only a sample/
MS> ip from any to any in recv vr0
MS> and outgoing
MS> ip from any to any out xmit vr0
Yep, I'll collapse my two-rule chains in one rule.
>> Does PPPoE packets match rule 2020, and other rules like "nat 1 ip
>> from any to any"?
MS> Yes, and it seems that that is not what you want. The packets will be
MS> seen first by the firewall, then passed to whatever is handling PPPoE
But there is no rule for it, and default policy is "deny"... But it
works.
MS> on the local box, then re-injected into the IP stack, etc. for
MS> processing by firewall rules again.
MS> Is there a pppX pseudo-interface?
ng0, as I'm using mpd5, not system ppp.
--
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>
More information about the freebsd-net
mailing list