From owner-freebsd-net@FreeBSD.ORG Fri Dec 17 09:48:34 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 999A516A4CE for ; Fri, 17 Dec 2004 09:48:34 +0000 (GMT) Received: from borgtech.ca (borgtech.ca [216.187.106.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3C4143D45 for ; Fri, 17 Dec 2004 09:48:33 +0000 (GMT) (envelope-from asegu@borgtech.ca) Received: from asegulaptop (unknown [161.53.212.202]) by borgtech.ca (Postfix) with ESMTP id E4E6054C3 for ; Fri, 17 Dec 2004 09:49:37 +0000 (GMT) From: "Andrew Seguin" To: Date: Fri, 17 Dec 2004 10:47:46 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcTjwbZEQOKQzSfsScqWspCg6UGulAAQrbgQAASsTIAAAYilMA== Message-Id: <20041217094937.E4E6054C3@borgtech.ca> Subject: FW: Curiosity in IPFW/Freebsd bridge. [more] 802.1q VLAN at fault? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 09:48:34 -0000 My apologies: Sometimes I feel just so stupid... hitting reply replies = to me instead of the list. Ooops! -----Original Message----- From: Andrew Seguin [mailto:asegu@borgtech.ca]=20 Sent: Friday, December 17, 2004 10:16 AM To: 'Andrew Seguin' Subject: RE: Curiosity in IPFW/Freebsd bridge. [more] Ok, through all my bugging of you all, I just want to mention that I am still working at my own end to figure this out.. I've used tcpdump to capture a sample of all traffic for each nic = (tcpdump -s 1500 -i fxp1 -c 1000 -w tcpdump.fxp1), which I am now looking at in ethereal. So my initial observation: traffic flowing through the bridge doesn't filter, while on the console access nic, it does. Looking through the ethereal dumps, I have spotted one difference. Packets for the console look like this: Frame 1 (106 bytes on wire, 106 bytes captured) Ethernet II, Src: MAC1, Dst: MAC2 Internet Protocol, Src Addr: MyPC, Dst Addr: FIREWALL SSH Protocol Packets from the bridge look like this: Frame 1 (64 bytes on wire, 64 bytes captured) Ethernet II, Src: MAC1, Dst: MAC2 802.1q Virtual LAN Internet Protocol, Src Addr: x, Dst Addr: y Transmission Control Protocol, ... So it would seem that the part "802.1q Virtual LAN" in the protocol is stopping IPFW from investigating the traffic? (At times like this I wish = I would have not studied computer engineering but networking for 4 = years!). Question then: What in IPFW is stopping it from reading into a VLAN tagged packet (if = it is such that it can be called). All help and pointers (especially to documentation) would be highly appreciated! -----Original Message----- From: Andrew Seguin [mailto:asegu@borgtech.ca]=20 Sent: Friday, December 17, 2004 8:27 AM To: 'Andrew Seguin' Subject: RE: Curiosity in IPFW/Freebsd bridge. [more] I have done a bit of further research and I have to question myself what = is going on. I set the system back up with only two nics in use, and put an IP = address up on one side only, nothing different. Back to the three nic setup: Four rules: 1 allow ip from any to LOCALIP 22 10 allow tcp from any to any 11 allow udp from any to any 100 allow log ip from any to any The counts climb very very slowly for rules 10/11 (maybe 100bytes/min?) while rule 100 increases at the rate of approximately 2-3MB/min. On the bridge, only MAC traffic is seen. looking at the logs (I put in a 1000 allow log ip from any to any) and I = saw " Accept MAC in via fxp1", "Accept MAC in via fxp0", repeated many times over. Googling I've found this unanswered post which seems to be exact same problem as for me: http://lists.freebsd.org/pipermail/freebsd-questions/2004-August/056397.h= tml This question that is only so so related (person doesn't complain about = it being a problem, only wants to log): http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2004-04/1680.ht= ml So I am wondering what am I missing? What is going on? Is this a problem in Freebsd-5, should I rebuild to freebsd 4? Well, sorry to keep buggin this list with a "simple" firewall bridge, = but the problems haven't been simple to me to date. I am very grateful for = all of you helping here! Andrew. -----Original Message----- From: owner-freebsd-net@freebsd.org = [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Andrew Seguin Sent: Thursday, December 16, 2004 11:51 PM To: freebsd-net@freebsd.org Subject: Curiosity in IPFW/Freebsd bridge. Hello, First off, a great thanks to this list who pointed out my = hardware issue (rl series cards). I now have the bridge on two Intel Pro NICS and = I use the on-board sis card for console access, and my average ping time = is a 2ms average to the router, passing about a solid 2MB/s. =20 My current situation is that it seems IPFW is filtering by IP address, = but never matching an IP address/Port number combo (ex: =93deny ip from IP = to any=94 works, but =93deny ip from IP to any 80=94 does not work). =20 The firewall rules are as follows: #1. Allow all SSH traffic until rules are down safe. ipfw add 1 allow ip from any to LOCAL_IP 22 #ipfw add 100 TEST (either =93deny ip from any to any=94 or =93deny ip = from any to any 80=94). ipfw add 500 pipe 1 ip from any to any ipfw pipe 1 config bw 20480Kbit/s default> allow ip from any to any =20 The setup is as follows in rc.conf: Ifconfig_fxp0=3D=94up=94 Ifconfig_fxp1=3D=94up=94 Ifconfig_sis0=3D=94LOCAL_IP=85=94 =20 And in sysctl.conf: net.link.ether.bridge.enable=3D1 net.link.ether.bridge.config=3Dfxp0,fxp1 net.link.ether.bridge.ipfw=3D1 =20 Kernel has been built with IPFW and DUMMYNET. Freebsd 5.3 (RELENG_5, cvsupdated and recompiled about a week ago). =20 The server was working fine when I had it filtering between two switches (secondary to primary). I was having web/email/irc traffic bypass the = pipe, and used the pipe to limit the speed of those who use P2P. Now, I have = this situation with the firewall between the main switch and the router. I really need to get this working for this purpose again fast or else = I=92ll have a repeat of an earlier =93internal=94 DoS, so any and all tips, = comments, pointers would be greatly appreciated! =20 I wonder if it is because I haven=92t assigned an IP address on the fxp = facing the inside network=85? Haven=92t had the time to try this yet (11:50pm = local time!) since I don=92t remember which fxp card is facing = internal/external and so I will try in the morning. =20 Again, many thanks! Andrew Seguin =20 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20 _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --=20 No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20 --=20 No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20 --=20 No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20