From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 21:36:53 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16F9616A4CE for ; Tue, 10 May 2005 21:36:53 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95C9E43D41 for ; Tue, 10 May 2005 21:36:52 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so2054649wri for ; Tue, 10 May 2005 14:36:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=H6qajMxAaMPm9DgTp89oUljdM7i4WBnnzR/XqnNauGMPYx8pzsISPRn0BSt92UaTanLT3tuF1kBA58ESGG9QDjBs+pvWaWsAop7hEkPjn1MCZltXOuBo7UGJQbS0hmYvDxZQFXwzhWAFAvwGyLf8wz9eWbqpQfWb7sL/oR1p1E4= Received: by 10.54.149.20 with SMTP id w20mr758966wrd; Tue, 10 May 2005 14:36:52 -0700 (PDT) Received: by 10.54.39.6 with HTTP; Tue, 10 May 2005 14:36:52 -0700 (PDT) Message-ID: <8eea04080505101436289b58e7@mail.gmail.com> Date: Tue, 10 May 2005 14:36:52 -0700 From: Jon Simola To: freebsd-ipfw@freebsd.org, Joshua Paech In-Reply-To: <42805673.2070401@quo.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42805673.2070401@quo.com.au> Subject: Re: IPFW2 statefulness over bridge? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 21:36:53 -0000 On 5/9/05, Simon Litchfield wrote: > Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing > connections over our bridge (running 5.3 generic). A similar > configuration worked fine using pf on openbsd. >=20 > Are we missing something? Here's the guts of our rule script -- ipfw bridges only get one chance at the packet, because the bdg_forward path does not have anything similar to ether_output. You can't firewall packets on their way out of your bridge, only on the way in. So via doesn't make sense, and "in recv" might make some sense depending on what you're trying to do. See the diagram in ipfw(8) for details. > # allow arps (oh yeah, this is important) > ipfw add allow layer2 mac-type arp You might want to rewrite your ruleset to split off the layer2 and layer3 rules, otherwise (depending on your config) each packet will pass through the entire ruleset twice. Once at layer2, and again at layer3. Passes at layer2 won't match any rules that don't specify "layer2" on the rule, and MAC matching doesn't make sense at layer3. --=20 Jon Simola Systems Administrator ABC Communications