Date: Thu, 9 Feb 2006 09:46:34 -0800 (PST) From: Dave McCammon <davemac11@yahoo.com> To: questions@freebsd.org Subject: ipfw and if_bridge Message-ID: <20060209174634.30269.qmail@web32809.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello all. I had my firewall crash using releng_6(sata corruption/failure of some sort) and during rebuild I decided to move to ipfw + if_bridge instead of using ipfw + bridge(4) since bridge(4) is becoming obsolete. Anyway, i had some problems getting ruleset to work. I've cut ruleset down to pertinent parts to show what I am seeing. I have a system with 2 cards, em0 and em1, being used as a filtering bridge. em0 faces router and em1 faces internal lan. network = 10.1.1.0/24 em0 address = (has none) em1 address = 10.1.1.17 some internal lan machine = 10.1.1.12 --begin ruleset----- -f flush add 100 pass layer2 mac-type arp add 200 check state add 300 deny log tcp from any to any established in via em0 add 400 allow icmp from any to 10.1.1.0/24 icmptypes 0,3,11,12,13,14 add 500 pass tcp from 10.1.1.17 to any setup keep-state add 600 pass udp from 10.1.1.17 to any keep-state add 700 pass ip from 10.1.1.17 to any add 800 deny log ip from 10.1.1.0/24 to any in via em0 add 900 pass tcp from 10.1.1.0/24 to any in via em1 setup keep-state add 1000 pass udp from 10.1.1.0/24 to any in via em1 keep-state add 1100 pass ip from 10.1.1.0/24 to any in via em1 add 1200 deny log ip from any to any ----end ruleset----- Sysctl variables: net.link.bridge.pfil_member=1 net.link.bridge.ipfw=1 rc.conf entries: ifconfig_em1="inet 10.1.1.17 netmask 255.255.255.0" cloned_interfaces="bridge0" ifconfig_bridge0="addm em0 addm em1 up" firewall_enable="YES" firewall_type="/etc/firewall/ipfw.conf" With bridge(4) I could ping from inside machine(10.1.1.12) to router or any other out-of-lan address. After if_bridge i would get in logs after same ping attempt: 1200 Deny ICMP:8.0 10.1.1.12 to (router ip address) out via em0 TCP outbound connections work. After changing rulesets from "in via" to "recv", icmp now works. (ex: add 1100 pass ip from 10.1.1.0/24 to any recv em1) This blocking of the icmp packet out via em0 even though the ruleset says to allow it because it came in via em1 doesn't seem to be correct behavior to me. The tcp/udp rulesets work even though there is intermittant pop-ups in the logs saying the connections were blocked out via em0. Any enlightenment on this is appreciated. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060209174634.30269.qmail>