Date: Tue, 28 Nov 2000 17:38:18 +1100 (EST) From: Camson Huynh <Camson.Huynh@eBioinformatics.com> To: hackers@FreeBSD.ORG Subject: bridge + ipfw Message-ID: <Pine.BSF.4.21.0011281718030.10448-100000@pearl.au.int.en-bio.COM>
next in thread | raw e-mail | index | archive | help
There seem to be a problem setting up bridge + ipfw using the fxp Intel Pro
100 cards. The problem doesn't exist on NE2000 cards. The same set of ipfw
rules and same configuration work on NE2000 cards. Does anybody know if there
is a problem with 100Mbit cards, the intel pro in particular or there is a bug
with ipfw and bridging? I have fully tested the intel cards and they are
functioning ok. I'm currently running FreeBSD 4.2-STABLE. This behaviour
happens on FreeBSD 4.2-RELEASE and FreeBSD 4.1X also which prompted me to
upgrade to 4.2 stable.
My configuration consists of 2 intel pro cards. The external fxp0 has an IP
assigned to it where as the internal fxp1 does not. The ipfw rules only allow
ssh incoming + icmp packets and deny everything else. Outgoing traffics are
not restricted. The behaviour I'm seeing is that I can ping ok. I cannot ssh
in but am still able to telnet in !!!
My kernel config includes:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options BRIDGE
My firewall rules:
${fwcmd} -f flush
${fwcmd} add 100 check-state
${fwcmd} add 200 pass all from any to any via lo0
${fwcmd} add 300 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0
# Throw away RFC 1918 networks
${fwcmd} add deny ip from 10.0.0.0/8 to any in via ${oif}
${fwcmd} add deny ip from 172.16.0.0/12 to any in via ${oif}
${fwcmd} add deny ip from 192.168.0.0/16 to any in via ${oif}
# Allow the bridge machine to say anything it wants (keep state if UDP)
${fwcmd} add pass udp from ${bridge_ip} to any keep-state
${fwcmd} add pass ip from ${bridge_ip} to any
# Allow the inside net to say anything it wants (keep state if UDP)
${fwcmd} add pass udp from any to any in via ${iif} keep-state
${fwcmd} add pass ip from any to any in via ${iif}
# Allow all manner of ICMP
${fwcmd} add pass icmp from any to any
# established TCP sessions are ok everywhere.
${fwcmd} add pass tcp from any to any established
# Pass SSH
${fwcmd} add pass tcp from any to any 22 in via ${oif}
# Everything else is denied
${fwcmd} add deny ip from any to any
------------
camson
Camson Huynh eBioinformatics - Bay 16 Suite 104
Senior Systems Administrator Australian Technology Park
Email: Camson.Huynh@eBioinformatics.com NSW 1430 Australia
Ph: +61 2 9209 4749 Fax: +61 2 9209 4747 URL: http://eBioinformatics.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011281718030.10448-100000>