From owner-freebsd-hackers Mon Nov 27 22:39: 2 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from swan.au.en-bio.com (swan.en-bio.COM.AU [203.35.254.3]) by hub.freebsd.org (Postfix) with ESMTP id B31E137B400 for ; Mon, 27 Nov 2000 22:38:52 -0800 (PST) Received: from shad.au.int.en-bio.com (www-cache.au.en-bio.com [203.35.254.2]) by swan.au.en-bio.com (8.9.1a/8.9.1) with ESMTP id RAA19298 for ; Tue, 28 Nov 2000 17:38:50 +1100 Received: from pearl.au.int.en-bio.COM (pearl.au.int.en-bio.COM [192.168.42.108]) by shad.au.int.en-bio.com (8.9.1b+Sun/8.9.1) with ESMTP id RAA20060 for ; Tue, 28 Nov 2000 17:39:09 +1100 (EST) Received: from localhost (chuynh@localhost) by pearl.au.int.en-bio.COM (8.11.1/8.9.3) with ESMTP id eAS6cJR37274 for ; Tue, 28 Nov 2000 17:38:19 +1100 (EST) (envelope-from chuynh@pearl.au.int.en-bio.COM) Date: Tue, 28 Nov 2000 17:38:18 +1100 (EST) From: Camson Huynh To: hackers@FreeBSD.ORG Subject: bridge + ipfw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG There seem to be a problem setting up bridge + ipfw using the fxp Intel Pro 100 cards. The problem doesn't exist on NE2000 cards. The same set of ipfw rules and same configuration work on NE2000 cards. Does anybody know if there is a problem with 100Mbit cards, the intel pro in particular or there is a bug with ipfw and bridging? I have fully tested the intel cards and they are functioning ok. I'm currently running FreeBSD 4.2-STABLE. This behaviour happens on FreeBSD 4.2-RELEASE and FreeBSD 4.1X also which prompted me to upgrade to 4.2 stable. My configuration consists of 2 intel pro cards. The external fxp0 has an IP assigned to it where as the internal fxp1 does not. The ipfw rules only allow ssh incoming + icmp packets and deny everything else. Outgoing traffics are not restricted. The behaviour I'm seeing is that I can ping ok. I cannot ssh in but am still able to telnet in !!! My kernel config includes: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options BRIDGE My firewall rules: ${fwcmd} -f flush ${fwcmd} add 100 check-state ${fwcmd} add 200 pass all from any to any via lo0 ${fwcmd} add 300 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP ${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Throw away RFC 1918 networks ${fwcmd} add deny ip from 10.0.0.0/8 to any in via ${oif} ${fwcmd} add deny ip from 172.16.0.0/12 to any in via ${oif} ${fwcmd} add deny ip from 192.168.0.0/16 to any in via ${oif} # Allow the bridge machine to say anything it wants (keep state if UDP) ${fwcmd} add pass udp from ${bridge_ip} to any keep-state ${fwcmd} add pass ip from ${bridge_ip} to any # Allow the inside net to say anything it wants (keep state if UDP) ${fwcmd} add pass udp from any to any in via ${iif} keep-state ${fwcmd} add pass ip from any to any in via ${iif} # Allow all manner of ICMP ${fwcmd} add pass icmp from any to any # established TCP sessions are ok everywhere. ${fwcmd} add pass tcp from any to any established # Pass SSH ${fwcmd} add pass tcp from any to any 22 in via ${oif} # Everything else is denied ${fwcmd} add deny ip from any to any ------------ camson Camson Huynh eBioinformatics - Bay 16 Suite 104 Senior Systems Administrator Australian Technology Park Email: Camson.Huynh@eBioinformatics.com NSW 1430 Australia Ph: +61 2 9209 4749 Fax: +61 2 9209 4747 URL: http://eBioinformatics.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message