Date: Thu, 14 Sep 2006 16:20:10 +1200 From: Andrew Thompson <thompsa@freebsd.org> To: Jon Otterholm <jon.otterholm@ide.resurscentrum.se> Cc: freebsd-net@freebsd.org Subject: Re: Bridge Message-ID: <20060914042010.GA35371@heff.fud.org.nz> In-Reply-To: <45084BBD.7090903@ide.resurscentrum.se> References: <45084BBD.7090903@ide.resurscentrum.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 13, 2006 at 08:19:41PM +0200, Jon Otterholm wrote:
> Hi.
>
> According to man if_bridge one could filter L2-traffic with ipfw:
>
> From man if_bridge:
> ARP and REVARP packets are forwarded without being filtered and others
> that are not IP nor IPv6 packets are not forwarded when pfil_onlyip is
> enabled. IPFW can filter Ethernet types using mac-type so all packets
> are passed to the filter for processing.
>
> ARP is still forwarded though I have the following config:
>
> I have the following sysctl set:
>
> net.link.bridge.ipfw: 1
> net.link.bridge.pfil_member: 1
> net.link.bridge.pfil_bridge: 1
> net.link.bridge.pfil_onlyip: 1
>
> ipfw list:
>
> 65533 deny ip from any to any MAC any any
> 65534 deny ip from any to any layer2
> 65535 deny ip from any to any
The check for ARP happens before the ipfw layer2 code so it isnt
currently possible to filter them.
switch (ether_type) {
case ETHERTYPE_ARP:
case ETHERTYPE_REVARP:
return (0); /* Automatically pass */
You are the second person in so many days to ask this, is it something
that should be changed?
Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060914042010.GA35371>