From owner-freebsd-questions Thu Sep 28 0: 8:49 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id CD2B037B422 for ; Thu, 28 Sep 2000 00:08:34 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 28 Sep 2000 00:06:59 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8S789b95637; Thu, 28 Sep 2000 00:08:09 -0700 (PDT) (envelope-from cjc) Date: Thu, 28 Sep 2000 00:08:09 -0700 From: "Crist J . Clark" To: afleming@fhsu.edu Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW, Bridging, and IPX Message-ID: <20000928000809.H81242@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from afleming@fhsu.edu on Wed, Sep 27, 2000 at 10:12:49AM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Sep 27, 2000 at 10:12:49AM -0500, afleming@fhsu.edu wrote: > I have a FreeBSD 4.1 that I am setting up as a Filtering Bridge. I have > added the following to my kernel and rebuilt it. > > options BRIDGE > options IPFIREWALL > options IPFIREWALL_VERBOSE > > I have the bridge working correctly. Currently I have the firewall rules > set to open, so any IP traffic goes through. This is working so far, but > it was my understanding that a FreeBSD Bridge would only Bridge IP, but > when I put a sniffer on the inside of the bridge, I keep seeing IPX > broadcasts, (As well as Apple Talk Broadcasts also.) Did you put in a default accept rule? IIRC, that the rule that passes _anything._ > Has the bridge code recently changed? Possibly, but I believe it has always forwarded all Ethernet frames. That is, it has always forwarded IPX and AppleTalk. It is what I, personally, would expect. It is a bridge afterall. > Is there a way I can block > everything but IP and ARP traffic? I know ARP's Ethernet protocol number > is 2054. Can I use the special UDP rule to block IPX and Apple based on > its protocol number? I've never tried using that UDP port 2054 kludge to pass ARP. I would expect if you put in a default drop, and only passed IP and ARP (assuming that it still works and works properly, I've never seen docs or tested it), that you would get what you want. But as I always point out, ipfw is meant to deal with _IP_ packets and not link layer frames. Any attempt to filter non-IP with ipfw is not going to be pretty. If that does not work, you can block all non-IP, but then run an ARP proxy on the bridge machine. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message