From owner-freebsd-net@FreeBSD.ORG Wed Aug 29 15:01:11 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED8F8106566C for ; Wed, 29 Aug 2012 15:01:10 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 79E978FC15 for ; Wed, 29 Aug 2012 15:01:09 +0000 (UTC) Received: by weyx56 with SMTP id x56so553720wey.13 for ; Wed, 29 Aug 2012 08:01:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=a0tPtnSyvyCOFBqy6J9ItdULiRI1246vkCWW9D/6Vgs=; b=Kbd+tD1j9zdto7LwuJsc/oPlcqaa7iosOS4ArH5+ZOqofpWX/pZFDwFWxOvFbKkX4V qG9+Z+cuhsO6NuuzyKzRgz15U/ZG8fB1yU+AqHSjmtTU4DTtEHLiBxasftXBNShh3oL7 jBWUtJXj8HrM5rAAi9dQDr9N9rSXXBEGMRrn1NEy6VYoelbGjSWd4KUiKO+xecJ0FtRm +K3WVLXFc7Gakf5on4iOBv+mUVjTFhvguxuC0sjmPahaoQve0ic4pJmxPzR5D/PrZfsK FQQbYwroSaQWCjc3q7QaSrLC630GHaNOEjihh5dmGVPROGnUbtXvcRjbIMTVgiZUvrqy z+/Q== MIME-Version: 1.0 Received: by 10.180.96.199 with SMTP id du7mr4296558wib.21.1346252469059; Wed, 29 Aug 2012 08:01:09 -0700 (PDT) Received: by 10.223.160.9 with HTTP; Wed, 29 Aug 2012 08:01:08 -0700 (PDT) In-Reply-To: <1865271844.20120829131610@serebryakov.spb.ru> References: <1865271844.20120829131610@serebryakov.spb.ru> Date: Wed, 29 Aug 2012 08:01:08 -0700 Message-ID: From: Michael Sierchio To: lev@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmyxx2tsv3POm7ulV3RVN89q0tgSqYCZcnnuNR1aHTiJ3Uo/DBFBDtFnx+jPPU7c3c9MaGc Cc: freebsd-net@freebsd.org Subject: Re: ipfw, "ip|all" proto and PPPoE -- does PPPoE packets passed to ipfw? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Aug 2012 15:01:11 -0000 On Wed, Aug 29, 2012 at 2:16 AM, Lev Serebryakov wrote: > I have interface (vr1), most of traffic on which is PPPoE. I have ipfw > firewall, which splits traffic by interfaces via: > > add 2000 skipto 5000 all from any to any via em0 > add 2010 skipto 7000 all from any to any via wlan0 > add 2020 skipto 11000 all from any to any via vr1 > add 2030 skipto 13000 all from any to any via ng0 > add 2040 skipto 15000 ipv6 from any to any via gif0 > add 2999 deny all from any to any > ... > And later here are some basic checks, nat, "check-state" and some > stateful rules. Consider separating traffic not only by interface but also direction 'via' can match traffic four different ways (at least), so match incoming traffic on an interface ip from any to any in recv vr0 and outgoing ip from any to any out xmit vr0 > Does PPPoE packets match rule 2020, and other rules like "nat 1 ip > from any to any"? Yes, and it seems that that is not what you want. The packets will be seen first by the firewall, then passed to whatever is handling PPPoE on the local box, then re-injected into the IP stack, etc. for processing by firewall rules again. Is there a pppX pseudo-interface?