From owner-freebsd-questions@FreeBSD.ORG Wed Jun 22 22:28:52 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 189CD16A41C for ; Wed, 22 Jun 2005 22:28:52 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from smtpx.spintech.ro (smtpx.spintech.ro [81.180.92.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9D0543D48 for ; Wed, 22 Jun 2005 22:28:51 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from smtpx.spintech.ro (antivirus [15.0.0.1]) by smtpx.spintech.ro (Postfix) with ESMTP id CD18E3A4A6 for ; Wed, 22 Jun 2005 20:23:03 +0000 (UTC) Received: from [10.0.0.2] (beastie [10.0.0.2]) by smtpx.spintech.ro (Postfix) with ESMTP id 96BA43A493 for ; Wed, 22 Jun 2005 20:23:03 +0000 (UTC) Message-ID: <42B9E62C.7000204@spintech.ro> Date: Thu, 23 Jun 2005 01:29:00 +0300 From: Alin-Adrian Anton User-Agent: Mozilla Thunderbird 1.0 (X11/20041229) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Open-Source: www.opensource.org Subject: ipfw2 filtering on bridge X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 22:28:52 -0000 Hi there, I've been running into some problems with what is supposed to be a filtering bridge with IPFW, on FreeBSD 5.4-REL0. IPFW has been compiled into kernel: options BRIDGE options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT along with the bridging capability. No other firewalling mechanisms are enabled. The bridge is configured and working: net.link.ether.bridge.enable=1 net.link.ether.bridge.config=fxp0,vr0 net.link.ether.bridge_ipfw=1 fxp0 is Internet vr0 is a server with an external IP, called EXT_IP I tried blocking with trivial ruleset: 00100 0 0 deny icmp from any to any 65535 8518 584248 allow ip from any to any However, pinging through the bridge, from the Internet, works without fear: 64 bytes from EXT_IP: icmp_seq=0 ttl=233 time=85.994 ms 64 bytes from EXT_IP: icmp_seq=1 ttl=233 time=96.220 ms If anyone could help me a bit, I'd be really thankfull. Thanks for the time. Yours Sincerely, -- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA "It is dangerous to be right when the government is wrong." - Voltaire