From owner-freebsd-net@FreeBSD.ORG Wed May 4 17:19:51 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED82416A4CE; Wed, 4 May 2005 17:19:51 +0000 (GMT) Received: from mailhost.tao.org.uk (transwarp.tao.org.uk [212.135.162.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6B5943D4C; Wed, 4 May 2005 17:19:46 +0000 (GMT) (envelope-from joe@tao.org.uk) Received: from genius.tao.org.uk (genius.tao.org.uk [212.135.162.51]) by mailhost.tao.org.uk (Postfix) with ESMTP id 1FDDFA62B; Wed, 4 May 2005 18:18:57 +0100 (BST) Received: by genius.tao.org.uk (Postfix, from userid 100) id AA7D940C2; Wed, 4 May 2005 18:18:51 +0100 (BST) Date: Wed, 4 May 2005 18:18:51 +0100 From: Josef Karthauser To: Gavin Atkinson Message-ID: <20050504171851.GB1863@genius.tao.org.uk> Mail-Followup-To: Josef Karthauser , Gavin Atkinson , current@freebsd.org, net@freebsd.org References: <20050502200413.GB46745@genius.tao.org.uk> <20050502202122.GC46745@genius.tao.org.uk> <20050504142425.GB710@genius.pact.cpes.susx.ac.uk> <1115226802.49427.16.camel@buffy.york.ac.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xgyAXRrhYN0wYx8y" Content-Disposition: inline In-Reply-To: <1115226802.49427.16.camel@buffy.york.ac.uk> User-Agent: Mutt/1.5.9i cc: current@freebsd.org cc: net@freebsd.org Subject: Re: ipfw broken with bridge under 5.x (5.3 and 5.4) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2005 17:19:52 -0000 --xgyAXRrhYN0wYx8y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 04, 2005 at 06:13:22PM +0100, Gavin Atkinson wrote: >=20 > I believe I am seeing similar problems to you, though uptime for me is > generally measurable in days rather than minutes. I've found that > adding an explicit "allow all from any to any" and then removing it > again seems to get it working. I will test your solution when mine > fails again. >=20 > The comment about arp is an interesting one, I will see what I can find > out. I have however seen situations where (eg) UDP DNS through the > bridge works but web traffic or terminal services etc may not. >=20 > If you want to share firewall rules and other configuration with me > off-list to see if there are any similarities I'd be happy to help. >=20 It appears that the solution is obtained by adding the rule: allow ip from any to any layer2 mac-type arp to the beginning of the firewall list. IPFW2 drops non-IP traffic whereas IPFW1 passes it though. This is the reason why my configuration stopped working after the upgrade. Joe --=20 Josef Karthauser (joe@tao.org.uk) http://www.josef-k.net/ FreeBSD (cvs meister, admin and hacker) http://www.uk.FreeBSD.org/ Physics Particle Theory (student) http://www.pact.cpes.sussex.ac.uk/ =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D An eclectic mix of fact an= d theory. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --xgyAXRrhYN0wYx8y Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iEYEARECAAYFAkJ5A/oACgkQXVIcjOaxUBbWrwCfTdf/Kzskv+gyc1VkJ4ftL5sr 9KEAn2c0/dChDA2sceAHBSz6wR82Yjs4 =MkkV -----END PGP SIGNATURE----- --xgyAXRrhYN0wYx8y--