From owner-freebsd-net Thu Dec 10 06:09:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA25623 for freebsd-net-outgoing; Thu, 10 Dec 1998 06:09:53 -0800 (PST) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA25551 for ; Thu, 10 Dec 1998 06:09:12 -0800 (PST) (envelope-from luigi@labinfo.iet.unipi.it) Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id NAA21247; Thu, 10 Dec 1998 13:00:44 +0100 From: Luigi Rizzo Message-Id: <199812101200.NAA21247@labinfo.iet.unipi.it> Subject: Re: strange problems with ipfw and bridge To: camposr@MATRIX.COM.BR (Rodrigo Campos) Date: Thu, 10 Dec 1998 13:00:43 +0100 (MET) Cc: net@FreeBSD.ORG In-Reply-To: from "Rodrigo Campos" at Dec 10, 98 11:00:19 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [crissposted to -net because it is relevant there] > The bridge works just fine, but when I try to enable the packet filtering > of bridged packets with 'sysctl -w net.link.ether.bridge_ipfw=1' the > windows box cannot make any new connections. I'm using the following > firewall rules: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 01000 pipe 10 ip from any to 200.202.17.6 > 65000 allow ip from any to any > 65535 deny ip from any to any ... > There are some interesting details... > > Once I make any network connection to a machine from the windows box > (ping, ftp, telnet,etc...), the windows box can reconnect to this machine > after enabling the bridge_ipfw, only new connections cannot be > established, seems just like if the windows box couldn't find the 'way > out' to new connections. In the inverse direction the problem is exactly correct diagnosys. When the bridge passes a packet to the ipfw code and the packet finds no matching rule, the default rule (65535) is used. This is what happens e.g. for ARP and explains why you observe the abvoe. I should really implement support in IPFW for non-ip traffic matching. In the meantime there is a hack in ip_fw.c: /* * temporary hack: * udp from 0.0.0.0 means this rule applies. * 1 src port is match ether type * 2 src ports (interval) is match ether type * 3 src ports is match ether address */ but the code only implements the first one and i don't think I have ever tested this... You could try this and see if/how it works (or if it needs fixes etc.) > p.s.: I'm having problems accessing your home page in the last few hours, > anyway I'd like to know if you allow me to mirror it at Brazil so it would > be faster for the freebsd community in south america to read all that > documentation. sure -- but actually the "bridge" and "dummynet" manpages are supposes to contain everything you should need to know (and if you or someone have suggestions for changes, integration, etc please send me a patch). cheers luigi -----------------------------+-------------------------------------- Luigi Rizzo | Dip. di Ingegneria dell'Informazione email: luigi@iet.unipi.it | Universita' di Pisa tel: +39-50-568533 | via Diotisalvi 2, 56126 PISA (Italy) fax: +39-50-568522 | http://www.iet.unipi.it/~luigi/ _____________________________|______________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message