From owner-freebsd-net@FreeBSD.ORG Thu May 5 14:03:00 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AE7716A4CE; Thu, 5 May 2005 14:03:00 +0000 (GMT) Received: from 62-15-215-178.inversas.jazztel.es (62-15-215-178.inversas.jazztel.es [62.15.215.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1BF043DAF; Thu, 5 May 2005 14:02:58 +0000 (GMT) (envelope-from josemi@freebsd.jazztel.es) Received: from antares.redesjm.local (localhost.redesjm.local [127.0.0.1]) j45E2qHk081300; Thu, 5 May 2005 16:02:52 +0200 (CEST) (envelope-from josemi@antares.redesjm.local) Received: (from josemi@localhost) by antares.redesjm.local (8.13.3/8.13.3/Submit) id j45E2pYF081299; Thu, 5 May 2005 16:02:51 +0200 (CEST) (envelope-from josemi) Date: Thu, 5 May 2005 16:02:51 +0200 From: Jose M Rodriguez To: Josef Karthauser Message-ID: <20050505140251.GA81260@antares.redesjm.local> References: <20050502200413.GB46745@genius.tao.org.uk> <20050502202122.GC46745@genius.tao.org.uk> <20050504142425.GB710@genius.pact.cpes.susx.ac.uk> <1115226802.49427.16.camel@buffy.york.ac.uk> <20050504171851.GB1863@genius.tao.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050504171851.GB1863@genius.tao.org.uk> User-Agent: Mutt/1.4.2.1i X-AntiVirus: checked by AntiVir Milter (version: 1.1.0-3; AVE: 6.30.0.12; VDF: 6.30.0.157; host: antares.redesjm.local) cc: current@FreeBSD.org cc: net@FreeBSD.org Subject: Re: ipfw broken with bridge under 5.x (5.3 and 5.4) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2005 14:03:00 -0000 On Wed, May 04, 2005 at 06:18:51PM +0100, Josef Karthauser wrote: > On Wed, May 04, 2005 at 06:13:22PM +0100, Gavin Atkinson wrote: > > > > I believe I am seeing similar problems to you, though uptime for me is > > generally measurable in days rather than minutes. I've found that > > adding an explicit "allow all from any to any" and then removing it > > again seems to get it working. I will test your solution when mine > > fails again. > > > > It appears that the solution is obtained by adding the rule: > > allow ip from any to any layer2 mac-type arp > > to the beginning of the firewall list. IPFW2 drops non-IP traffic > whereas IPFW1 passes it though. This is the reason why my configuration > stopped working after the upgrade. > What point me that we must solve the ip <-> all problem in ipfw2 ip from any to any match all traffic, not only ip. So this must be deprecated and all used instead. Also, this must be take in account when pretty-print is done. Apart of this, I'm still have problems with ipfw and rules without body: - skipto 30000 + skipto 30000 all from any to any -- josemi