From owner-freebsd-hackers Tue Nov 28 3:33:32 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 5A5CF37B402 for ; Tue, 28 Nov 2000 03:33:28 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id eASBXDi47151; Tue, 28 Nov 2000 03:33:13 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200011281133.eASBXDi47151@iguana.aciri.org> Subject: Re: bridge + ipfw In-Reply-To: from Camson Huynh at "Nov 28, 2000 5:38:18 pm" To: Camson.Huynh@eBioinformatics.com (Camson Huynh) Date: Tue, 28 Nov 2000 03:33:13 -0800 (PST) Cc: hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > There seem to be a problem setting up bridge + ipfw using the fxp Intel Pro > 100 cards. The problem doesn't exist on NE2000 cards. The same set of ipfw > rules and same configuration work on NE2000 cards. Does anybody know if there > is a problem with 100Mbit cards, the intel pro in particular or there is a bug > with ipfw and bridging? I have fully tested the intel cards and they are > functioning ok. I'm currently running FreeBSD 4.2-STABLE. This behaviour > happens on FreeBSD 4.2-RELEASE and FreeBSD 4.1X also which prompted me to > upgrade to 4.2 stable. first: i am not totally sure the 'via' specifier makes sense for a bridge. second: are you sure you have set the sysctl variable net.link.ether.bridge_cfg so that it holds the names of the two new cards and not the old ones ? Other than that I can think of two things: 1) you are blocking ARP (the kernel ipfw hack to pass ARP was deleted in 4.x and so i think you need to run a 'default_to-accept' firewall so the default rule will match and pass non-ip packets. you can still block unwanted ip traffic with arule like 65500 deny ip from any to any 2) the fxp card uses dma to read/write into the mbuf, and so there might be some timing issues which are not present with the 'ed' driver. i fixed them on 3.x, but have no idea on what is the status on 4.x (though i strongly doubt this is the problem) cheers luigi > > My configuration consists of 2 intel pro cards. The external fxp0 has an IP > assigned to it where as the internal fxp1 does not. The ipfw rules only allow > ssh incoming + icmp packets and deny everything else. Outgoing traffics are > not restricted. The behaviour I'm seeing is that I can ping ok. I cannot ssh > in but am still able to telnet in !!! > > My kernel config includes: > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options BRIDGE > > My firewall rules: > > ${fwcmd} -f flush > ${fwcmd} add 100 check-state > > ${fwcmd} add 200 pass all from any to any via lo0 > ${fwcmd} add 300 deny all from any to 127.0.0.0/8 > # If you're using 'options BRIDGE', uncomment the following line to pass ARP > ${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0 > > # Throw away RFC 1918 networks > ${fwcmd} add deny ip from 10.0.0.0/8 to any in via ${oif} > ${fwcmd} add deny ip from 172.16.0.0/12 to any in via ${oif} > ${fwcmd} add deny ip from 192.168.0.0/16 to any in via ${oif} > > # Allow the bridge machine to say anything it wants (keep state if UDP) > ${fwcmd} add pass udp from ${bridge_ip} to any keep-state > ${fwcmd} add pass ip from ${bridge_ip} to any > > # Allow the inside net to say anything it wants (keep state if UDP) > ${fwcmd} add pass udp from any to any in via ${iif} keep-state > ${fwcmd} add pass ip from any to any in via ${iif} > > # Allow all manner of ICMP > ${fwcmd} add pass icmp from any to any > > # established TCP sessions are ok everywhere. > ${fwcmd} add pass tcp from any to any established > > # Pass SSH > ${fwcmd} add pass tcp from any to any 22 in via ${oif} > > # Everything else is denied > ${fwcmd} add deny ip from any to any > > ------------ > > camson > > Camson Huynh eBioinformatics - Bay 16 Suite 104 > Senior Systems Administrator Australian Technology Park > Email: Camson.Huynh@eBioinformatics.com NSW 1430 Australia > Ph: +61 2 9209 4749 Fax: +61 2 9209 4747 URL: http://eBioinformatics.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message