Date: Thu, 28 Sep 2000 00:08:09 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: afleming@fhsu.edu Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW, Bridging, and IPX Message-ID: <20000928000809.H81242@149.211.6.64.reflexcom.com> In-Reply-To: <OFD1EAFB26.6610ACB8-ON86256967.00521208@fhsu.edu>; from afleming@fhsu.edu on Wed, Sep 27, 2000 at 10:12:49AM -0500 References: <OFD1EAFB26.6610ACB8-ON86256967.00521208@fhsu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 27, 2000 at 10:12:49AM -0500, afleming@fhsu.edu wrote: > I have a FreeBSD 4.1 that I am setting up as a Filtering Bridge. I have > added the following to my kernel and rebuilt it. > > options BRIDGE > options IPFIREWALL > options IPFIREWALL_VERBOSE > > I have the bridge working correctly. Currently I have the firewall rules > set to open, so any IP traffic goes through. This is working so far, but > it was my understanding that a FreeBSD Bridge would only Bridge IP, but > when I put a sniffer on the inside of the bridge, I keep seeing IPX > broadcasts, (As well as Apple Talk Broadcasts also.) Did you put in a default accept rule? IIRC, that the rule that passes _anything._ > Has the bridge code recently changed? Possibly, but I believe it has always forwarded all Ethernet frames. That is, it has always forwarded IPX and AppleTalk. It is what I, personally, would expect. It is a bridge afterall. > Is there a way I can block > everything but IP and ARP traffic? I know ARP's Ethernet protocol number > is 2054. Can I use the special UDP rule to block IPX and Apple based on > its protocol number? I've never tried using that UDP port 2054 kludge to pass ARP. I would expect if you put in a default drop, and only passed IP and ARP (assuming that it still works and works properly, I've never seen docs or tested it), that you would get what you want. But as I always point out, ipfw is meant to deal with _IP_ packets and not link layer frames. Any attempt to filter non-IP with ipfw is not going to be pretty. If that does not work, you can block all non-IP, but then run an ARP proxy on the bridge machine. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000928000809.H81242>