Date: Fri, 12 Aug 2005 01:21:07 -0400 (EDT) From: "Dan Mahoney, System Admin" <danm@prime.gushi.org> To: Glenn Dawson <glenn@antimatter.net> Cc: questions@freebsd.org Subject: Re: 5.4 -- bridging, ipfw, dot1q Message-ID: <20050812010911.A61674@prime.gushi.org> In-Reply-To: <6.1.0.6.2.20050811215936.06352aa0@cobalt.antimatter.net> References: <20050812000355.H30784@prime.gushi.org> <6.1.0.6.2.20050811215936.06352aa0@cobalt.antimatter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 11 Aug 2005, Glenn Dawson wrote: > At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote: >> Okay, here's the situation. PLEASE let me know if there's a better place >> to ask. (isp@, kernel@, something) >> >> I'm setting up a bridging firewall where the packets are passing through on >> dot1q trunks. >> >> The bridge works. Packet counts work (so I assume the bridge at least sees >> the packets). >> >> Problem is, any "reasonable" rules (such as those which actually say to >> block traffic by ip or port or anything) aren't working at all. Not even >> logging counts. >> >> Setting the "bridged" flag doesn't seem to help. > > Which "bridged" flag would that be? In the ipfw rule in question (which the ipfw command turns into layer2) i.e. fw# ipfw add 310 count ip from any to 56.199.242.178 bridged 00310 count ip from any to 56.199.242.178 layer2 fw# ipfw show 00200 0 0 deny udp from any to any dst-port 1433 00300 971 47200 deny tcp from any to any dst-port 1433 00310 0 0 count ip from any to 56.199.242.178 layer2 00330 144629234 70747652177 count ip from any to any layer2 00340 0 0 count ip from any to 56.199.242.82 layer2 00350 1146497 505249814 count ip from any to 55.125.224.0/19 via em1 00360 154009046 73153382415 allow log logamount 100 ip from any to any 65535 1078777549 484619628567 allow ip from any to any (such a rule would report zero traffic, even when trafshow, snort, tcpdump all show there's a ton). >> My only guess is that ipfw doesn't have the brains to look beyond the VLAN >> tags. Is this the case? Is this supported under 4.x, or is there any way >> AT ALL that I can get this to work? > > What version are you using? You mention 4.x here, but your subject line > suggests 5.4. Yes, I'm running 5.4, but asking if it may have been supported earlier on in the OS (with ipfw1 -- since I know it lacks the ability to even really do many mac-like things). >> As a note, snort and trafshow and everything else work fine analyzing the >> bridge traffic, it seems only the kernel has an issue. > > Do you have the net.link.ether.bridge_ipfw sysctl set to 1? fw# sysctl -a|grep net|grep ipfw net.link.ether.bridge.ipfw: 1 net.link.ether.bridge.ipfw_drop: 0 net.link.ether.bridge.ipfw_collisions: 1021 net.link.ether.bridge_ipfw: 1 net.link.ether.ipfw: 0 Need anything else? -Dan -- "The first annual 5th of July party...have you been invited?" "It's a Jack Party." "Okay, so Long Island's been invited." --Cali and Gushi, 6/23/02 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050812010911.A61674>