From owner-freebsd-ipfw@FreeBSD.ORG  Fri Jun 13 19:39:04 2008
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B865E106566B
	for <freebsd-ipfw@freebsd.org>; Fri, 13 Jun 2008 19:39:04 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.freebsd.org (Postfix) with ESMTP id 891978FC0C
	for <freebsd-ipfw@freebsd.org>; Fri, 13 Jun 2008 19:39:04 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id D78AB5D21;
	Fri, 13 Jun 2008 15:22:49 -0400 (EDT)
X-Virus-Scanned: amavisd-new at codefab.com
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id SFxcvbuWimNG; Fri, 13 Jun 2008 15:22:47 -0400 (EDT)
Received: from [10.152.145.162] (72-165-115-225.dia.static.qwest.net
	[72.165.115.225]) (using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by pi.codefab.com (Postfix) with ESMTPSA id 9A56D5CEC;
	Fri, 13 Jun 2008 15:22:46 -0400 (EDT)
Message-Id: <733D64F7-47AA-4BCF-9677-08A20D39150A@mac.com>
From: Chuck Swiger <cswiger@mac.com>
To: Alexey Beketov <opt1k2@mail.ru>
In-Reply-To: <E1K7DQJ-000Bq2-00.opt1k2-mail-ru@f137.mail.ru>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v924)
Date: Fri, 13 Jun 2008 12:22:45 -0700
References: <E1K7DQJ-000Bq2-00.opt1k2-mail-ru@f137.mail.ru>
X-Mailer: Apple Mail (2.924)
Cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw arp protocol filtering
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jun 2008 19:39:04 -0000

On Jun 13, 2008, at 10:50 AM, Alexey Beketov wrote:
> I have two networks,10.10.0.0/16 both, and if_bridge between them.
> There is two different 10.10.0.1 machines in each network. I need to  
> filter arp on bridge to make no conflicts between 10.10.0.1  
> machines. How to make it, I using freebsd 7.0 and ipfw?

Seriously, dude-- don't even try to do this; you will be drawn into  
networking hell.

If you still wish to risk it, consider:

   sysctl -w net.link.ether.bridge_ipfw=1
   sysctl -w net.link.ether.ipfw=1

   ipfw add deny mac any 0:1:2:3:4:5

...add the deny rule twice & change MAC to match those of your two  
10.10.0.1 machines.  This won't filter ARP traffic, but instead just  
the ethernet addresses of these two machines from passing through the  
bridge.  If you really want to block ARP, you're better off switching  
to using a router and NAT forwarding rather than a bridge, but I  
understand there's a hack like follows:

   ipfw add deny udp from 0.0.0.0 2054 to 0.0.0.0

-- 
-Chuck