From owner-freebsd-questions@FreeBSD.ORG Fri Aug 12 05:01:06 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B83F716A41F for ; Fri, 12 Aug 2005 05:01:06 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7664143D46 for ; Fri, 12 Aug 2005 05:01:06 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from glenn-mobile.antimatter.net (cpe-66-27-86-22.san.res.rr.com [66.27.86.22]) (authenticated bits=0) by cobalt.antimatter.net (8.13.4/8.13.4) with ESMTP id j7C510JW023688 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Thu, 11 Aug 2005 22:01:05 -0700 Message-Id: <6.1.0.6.2.20050811215936.06352aa0@cobalt.antimatter.net> X-Sender: lists@cobalt.antimatter.net X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Thu, 11 Aug 2005 22:02:00 -0700 To: "Dan Mahoney, System Admin" , questions@freebsd.org From: Glenn Dawson In-Reply-To: <20050812000355.H30784@prime.gushi.org> References: <20050812000355.H30784@prime.gushi.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: 5.4 -- bridging, ipfw, dot1q X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 05:01:06 -0000 At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote: >Okay, here's the situation. PLEASE let me know if there's a better place >to ask. (isp@, kernel@, something) > >I'm setting up a bridging firewall where the packets are passing through >on dot1q trunks. > >The bridge works. Packet counts work (so I assume the bridge at least >sees the packets). > >Problem is, any "reasonable" rules (such as those which actually say to >block traffic by ip or port or anything) aren't working at all. Not even >logging counts. > >Setting the "bridged" flag doesn't seem to help. Which "bridged" flag would that be? >My only guess is that ipfw doesn't have the brains to look beyond the VLAN >tags. Is this the case? Is this supported under 4.x, or is there any way >AT ALL that I can get this to work? What version are you using? You mention 4.x here, but your subject line suggests 5.4. >As a note, snort and trafshow and everything else work fine analyzing the >bridge traffic, it seems only the kernel has an issue. Do you have the net.link.ether.bridge_ipfw sysctl set to 1? -Glenn >-- > >"Of course she's gonna be upset! You're dealing with a woman here Dan, >what the hell's wrong with you?" > >-S. Kennedy, 11/11/01 > >--------Dan Mahoney-------- >Techie, Sysadmin, WebGeek >Gushi on efnet/undernet IRC >ICQ: 13735144 AIM: LarpGM >Site: http://www.gushi.org >--------------------------- > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"