From owner-freebsd-net  Fri Nov 20 21:58:05 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA12922
          for freebsd-net-outgoing; Fri, 20 Nov 1998 21:58:05 -0800 (PST)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id VAA12917
          for <freebsd-net@FreeBSD.ORG>; Fri, 20 Nov 1998 21:58:02 -0800 (PST)
          (envelope-from luigi@labinfo.iet.unipi.it)
Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id FAA28620; Sat, 21 Nov 1998 05:00:59 +0100
From: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Message-Id: <199811210400.FAA28620@labinfo.iet.unipi.it>
Subject: Re: bridging hints?
To: alden@math.ohio-state.edu (Dave Alden)
Date: Sat, 21 Nov 1998 05:00:58 +0100 (MET)
Cc: freebsd-net@FreeBSD.ORG
In-Reply-To: <199811202109.QAA06927@math.mps.ohio-state.edu> from "Dave Alden" at Nov 20, 98 04:09:28 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Hi,
>   I'm planning on using a FreeBSD box as our departmental firewall.  I
> just started playing around with it and have a box configured with 2 Intel
> EtherExpress 100+ cards, our LAN on one and a workstation (call 'wkstn')
> on the other.  I'm trying to learn ipfw, so I setup the FreeBSD box as a
> "client" firewall.  I then did:

i am not sure what you mean by "client" firewall -- i suppose that you
are setting the firewall on the machine acting as a bridge.

> ipfw add deny tcp from any to wkstn
> 
> This works as expected.  But if I try to just turn of certain ports with:
> 
> ipfw add deny tcp from any to wkstn 1-1024
> 
> it doesn't work as I would expect (it allows me to telnet to the machine).

i have never tried this... have you tried, by chance, to block
single ports as opposed to a range and see if it makes a difference ?
If it does it could be a bug in ipfw.c, otherwhise it is in the way the
bridge code uses ipfw

	luigi

> Can someone tell me what I'm doing wrong?  :-)
> 
> ...thnx,
> ...dave
> 
> ps  I have set net.link.ether.bridge_ipfw=1.  :-)
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message