Date: Tue, 28 Nov 2000 03:33:13 -0800 (PST) From: Luigi Rizzo <rizzo@aciri.org> To: Camson.Huynh@eBioinformatics.com (Camson Huynh) Cc: hackers@FreeBSD.ORG Subject: Re: bridge + ipfw Message-ID: <200011281133.eASBXDi47151@iguana.aciri.org> In-Reply-To: <Pine.BSF.4.21.0011281718030.10448-100000@pearl.au.int.en-bio.COM> from Camson Huynh at "Nov 28, 2000 5:38:18 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> There seem to be a problem setting up bridge + ipfw using the fxp Intel Pro
> 100 cards. The problem doesn't exist on NE2000 cards. The same set of ipfw
> rules and same configuration work on NE2000 cards. Does anybody know if there
> is a problem with 100Mbit cards, the intel pro in particular or there is a bug
> with ipfw and bridging? I have fully tested the intel cards and they are
> functioning ok. I'm currently running FreeBSD 4.2-STABLE. This behaviour
> happens on FreeBSD 4.2-RELEASE and FreeBSD 4.1X also which prompted me to
> upgrade to 4.2 stable.
first: i am not totally sure the 'via' specifier makes sense
for a bridge.
second: are you sure you have set the sysctl variable
net.link.ether.bridge_cfg
so that it holds the names of the two new cards and not the old
ones ? Other than that I can think of two things:
1) you are blocking ARP (the kernel ipfw hack to pass ARP was deleted in 4.x
and so i think you need to run a 'default_to-accept' firewall
so the default rule will match and pass non-ip packets. you can still
block unwanted ip traffic with arule like 65500 deny ip from any to any
2) the fxp card uses dma to read/write into the mbuf, and so there might
be some timing issues which are not present with the 'ed' driver.
i fixed them on 3.x, but have no idea on what is the status on 4.x
(though i strongly doubt this is the problem)
cheers
luigi
>
> My configuration consists of 2 intel pro cards. The external fxp0 has an IP
> assigned to it where as the internal fxp1 does not. The ipfw rules only allow
> ssh incoming + icmp packets and deny everything else. Outgoing traffics are
> not restricted. The behaviour I'm seeing is that I can ping ok. I cannot ssh
> in but am still able to telnet in !!!
>
> My kernel config includes:
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=100
> options BRIDGE
>
> My firewall rules:
>
> ${fwcmd} -f flush
> ${fwcmd} add 100 check-state
>
> ${fwcmd} add 200 pass all from any to any via lo0
> ${fwcmd} add 300 deny all from any to 127.0.0.0/8
> # If you're using 'options BRIDGE', uncomment the following line to pass ARP
> ${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0
>
> # Throw away RFC 1918 networks
> ${fwcmd} add deny ip from 10.0.0.0/8 to any in via ${oif}
> ${fwcmd} add deny ip from 172.16.0.0/12 to any in via ${oif}
> ${fwcmd} add deny ip from 192.168.0.0/16 to any in via ${oif}
>
> # Allow the bridge machine to say anything it wants (keep state if UDP)
> ${fwcmd} add pass udp from ${bridge_ip} to any keep-state
> ${fwcmd} add pass ip from ${bridge_ip} to any
>
> # Allow the inside net to say anything it wants (keep state if UDP)
> ${fwcmd} add pass udp from any to any in via ${iif} keep-state
> ${fwcmd} add pass ip from any to any in via ${iif}
>
> # Allow all manner of ICMP
> ${fwcmd} add pass icmp from any to any
>
> # established TCP sessions are ok everywhere.
> ${fwcmd} add pass tcp from any to any established
>
> # Pass SSH
> ${fwcmd} add pass tcp from any to any 22 in via ${oif}
>
> # Everything else is denied
> ${fwcmd} add deny ip from any to any
>
> ------------
>
> camson
>
> Camson Huynh eBioinformatics - Bay 16 Suite 104
> Senior Systems Administrator Australian Technology Park
> Email: Camson.Huynh@eBioinformatics.com NSW 1430 Australia
> Ph: +61 2 9209 4749 Fax: +61 2 9209 4747 URL: http://eBioinformatics.com/
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011281133.eASBXDi47151>