From owner-freebsd-net@FreeBSD.ORG Sat May 7 12:15:10 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A3C416A4DB; Sat, 7 May 2005 12:15:10 +0000 (GMT) Received: from mail-gw1.york.ac.uk (mail-gw1.york.ac.uk [144.32.128.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4F2243D86; Sat, 7 May 2005 12:15:09 +0000 (GMT) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from ury.york.ac.uk (ury.york.ac.uk [144.32.108.81]) by mail-gw1.york.ac.uk (8.12.10/8.12.10) with ESMTP id j47CF7MN003164; Sat, 7 May 2005 13:15:07 +0100 (BST) Received: from ury.york.ac.uk (localhost.york.ac.uk [127.0.0.1]) by ury.york.ac.uk (8.13.1/8.13.1) with ESMTP id j47CG1nR072522; Sat, 7 May 2005 13:16:01 +0100 (BST) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from localhost (gavin@localhost) by ury.york.ac.uk (8.13.1/8.13.1/Submit) with ESMTP id j47CG1AI072519; Sat, 7 May 2005 13:16:01 +0100 (BST) (envelope-from gavin.atkinson@ury.york.ac.uk) X-Authentication-Warning: ury.york.ac.uk: gavin owned process doing -bs Date: Sat, 7 May 2005 13:16:01 +0100 (BST) From: Gavin Atkinson X-X-Sender: gavin@ury.york.ac.uk To: Josef Karthauser In-Reply-To: <20050504171851.GB1863@genius.tao.org.uk> Message-ID: <20050507131437.C72452@ury.york.ac.uk> References: <20050502200413.GB46745@genius.tao.org.uk> <20050504142425.GB710@genius.pact.cpes.susx.ac.uk> <20050504171851.GB1863@genius.tao.org.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-York-MailScanner: Found to be clean X-York-MailScanner-From: gavin.atkinson@ury.york.ac.uk cc: current@FreeBSD.org cc: net@FreeBSD.org Subject: Re: ipfw broken with bridge under 5.x (5.3 and 5.4) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 May 2005 12:15:10 -0000 On Wed, 4 May 2005, Josef Karthauser wrote: > On Wed, May 04, 2005 at 06:13:22PM +0100, Gavin Atkinson wrote: >> >> I believe I am seeing similar problems to you, though uptime for me is >> generally measurable in days rather than minutes. I've found that >> adding an explicit "allow all from any to any" and then removing it >> again seems to get it working. I will test your solution when mine >> fails again. > > It appears that the solution is obtained by adding the rule: > > allow ip from any to any layer2 mac-type arp > > to the beginning of the firewall list. IPFW2 drops non-IP traffic > whereas IPFW1 passes it though. This is the reason why my configuration > stopped working after the upgrade. Ah-ha! This also seems to have fixed it for me. There are a few bits of documentation which should probably be updated with this, I'll submit a patch in a day or two. Gavin