From owner-freebsd-net@FreeBSD.ORG Wed May 4 17:13:55 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEBB216A4CF; Wed, 4 May 2005 17:13:55 +0000 (GMT) Received: from mail-gw0.york.ac.uk (mail-gw0.york.ac.uk [144.32.128.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63C7943D54; Wed, 4 May 2005 17:13:54 +0000 (GMT) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from buffy.york.ac.uk (buffy-128.york.ac.uk [144.32.128.165]) by mail-gw0.york.ac.uk (8.12.10/8.12.10) with ESMTP id j44HDOGw024441; Wed, 4 May 2005 18:13:24 +0100 (BST) Received: from buffy.york.ac.uk (localhost [127.0.0.1]) by buffy.york.ac.uk (8.13.3/8.13.1) with ESMTP id j44HDOua049905; Wed, 4 May 2005 18:13:24 +0100 (BST) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: (from ga9@localhost) by buffy.york.ac.uk (8.13.3/8.13.1/Submit) id j44HDNxt049904; Wed, 4 May 2005 18:13:23 +0100 (BST) (envelope-from gavin.atkinson@ury.york.ac.uk) X-Authentication-Warning: buffy.york.ac.uk: ga9 set sender to gavin.atkinson@ury.york.ac.uk using -f From: Gavin Atkinson To: Josef Karthauser In-Reply-To: <20050504142425.GB710@genius.pact.cpes.susx.ac.uk> References: <20050502200413.GB46745@genius.tao.org.uk> <20050502202122.GC46745@genius.tao.org.uk> <20050504142425.GB710@genius.pact.cpes.susx.ac.uk> Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Wed, 04 May 2005 18:13:22 +0100 Message-Id: <1115226802.49427.16.camel@buffy.york.ac.uk> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 FreeBSD GNOME Team Port X-York-MailScanner: Found to be clean X-York-MailScanner-From: gavin.atkinson@ury.york.ac.uk cc: current@freebsd.org cc: net@freebsd.org Subject: Re: ipfw broken with bridge under 5.x (5.3 and 5.4) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2005 17:13:55 -0000 On Wed, 2005-05-04 at 15:24 +0100, Josef Karthauser wrote: > It appear that ipfw doesn't work with bridge in 5.3 and 5.4. The > symptoms are that the bridge stops forwarding packets altogether, > for me a few minutes after it is set up. It takes a > > # net.link.ether.bridge_ipfw=0 && sleep 5 && net.link.ether.bridge_ipfw=1 > > to get it back up and running, which it does, but only for a few > minutes before it stops working again. The five second sleep is > sometimes too long, and sometimes not enough time. I believe I am seeing similar problems to you, though uptime for me is generally measurable in days rather than minutes. I've found that adding an explicit "allow all from any to any" and then removing it again seems to get it working. I will test your solution when mine fails again. The comment about arp is an interesting one, I will see what I can find out. I have however seen situations where (eg) UDP DNS through the bridge works but web traffic or terminal services etc may not. If you want to share firewall rules and other configuration with me off-list to see if there are any similarities I'd be happy to help. Gavin