Date: Thu, 10 Dec 1998 13:00:43 +0100 (MET) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: camposr@MATRIX.COM.BR (Rodrigo Campos) Cc: net@FreeBSD.ORG Subject: Re: strange problems with ipfw and bridge Message-ID: <199812101200.NAA21247@labinfo.iet.unipi.it> In-Reply-To: <Pine.BSF.4.02.9812101039400.20217-100000@speed.matrix.com.br> from "Rodrigo Campos" at Dec 10, 98 11:00:19 am
next in thread | previous in thread | raw e-mail | index | archive | help
[crissposted to -net because it is relevant there]
> The bridge works just fine, but when I try to enable the packet filtering
> of bridged packets with 'sysctl -w net.link.ether.bridge_ipfw=1' the
> windows box cannot make any new connections. I'm using the following
> firewall rules:
>
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 01000 pipe 10 ip from any to 200.202.17.6
> 65000 allow ip from any to any
> 65535 deny ip from any to any
...
> There are some interesting details...
>
> Once I make any network connection to a machine from the windows box
> (ping, ftp, telnet,etc...), the windows box can reconnect to this machine
> after enabling the bridge_ipfw, only new connections cannot be
> established, seems just like if the windows box couldn't find the 'way
> out' to new connections. In the inverse direction the problem is exactly
correct diagnosys. When the bridge passes a packet to the ipfw code and
the packet finds no matching rule, the default rule (65535) is used.
This is what happens e.g. for ARP and explains why you observe the
abvoe.
I should really implement support in IPFW for non-ip traffic matching.
In the meantime there is a hack in ip_fw.c:
/*
* temporary hack:
* udp from 0.0.0.0 means this rule applies.
* 1 src port is match ether type
* 2 src ports (interval) is match ether type
* 3 src ports is match ether address
*/
but the code only implements the first one and
i don't think I have ever tested this...
You could try this and see if/how it works (or if it needs fixes etc.)
> p.s.: I'm having problems accessing your home page in the last few hours,
> anyway I'd like to know if you allow me to mirror it at Brazil so it would
> be faster for the freebsd community in south america to read all that
> documentation.
sure -- but actually the "bridge" and "dummynet" manpages
are supposes to contain everything you should need to know (and if
you or someone have suggestions for changes, integration, etc
please send me a patch).
cheers
luigi
-----------------------------+--------------------------------------
Luigi Rizzo | Dip. di Ingegneria dell'Informazione
email: luigi@iet.unipi.it | Universita' di Pisa
tel: +39-50-568533 | via Diotisalvi 2, 56126 PISA (Italy)
fax: +39-50-568522 | http://www.iet.unipi.it/~luigi/
_____________________________|______________________________________
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812101200.NAA21247>