From owner-freebsd-questions@FreeBSD.ORG Thu Jun 23 14:34:36 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D83DA16A41C; Thu, 23 Jun 2005 14:34:36 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from smtpx.spintech.ro (smtpx.spintech.ro [81.180.92.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9186343D55; Thu, 23 Jun 2005 14:34:36 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from smtpx.spintech.ro (antivirus [15.0.0.1]) by smtpx.spintech.ro (Postfix) with ESMTP id B410B3A49D; Thu, 23 Jun 2005 12:28:48 +0000 (UTC) Received: from [10.0.0.2] (beastie [10.0.0.2]) by smtpx.spintech.ro (Postfix) with ESMTP id 82B7E3A491; Thu, 23 Jun 2005 12:28:48 +0000 (UTC) Message-ID: <42BAC885.3030901@spintech.ro> Date: Thu, 23 Jun 2005 17:34:45 +0300 From: Alin-Adrian Anton User-Agent: Mozilla Thunderbird 1.0 (X11/20041229) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ben References: <42B9E62C.7000204@spintech.ro> <42BA0DE9.4040809@thegeekzone.com> In-Reply-To: <42BA0DE9.4040809@thegeekzone.com> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Open-Source: www.opensource.org Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ipfw2 filtering on bridge X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 14:34:37 -0000 Ben wrote: > I'm sorry, I can't send this to the list because my messages to the list > bounce because reverse DNS isn't set up. > No worries, thanks a lot for answering. > This is funny, I just set this up for the first time yesterday except I > set everything up to have no IP addresses so that the firewall would be > invisible to anyone. I think I see what is wrong with your setup... > > You've got to change net.link.ether.bridge_ipfw=1 to > net.link.ether.bridge.ipfw=1 in /etc/sysctl.conf. The handbook > (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html) > says that net.link.ether.bridge_ipfw=1 was updated in 5.2-RELEASE. > net.link.ether.bridge.enable=1 net.link.ether.bridge.config=fxp0,fxp1 net.link.ether.bridge_ipfw=1 # sysctl net.link.ether.bridge.ipfw=1 net.link.ether.bridge.ipfw: 1 -> 1 # # ipfw add deny icmp from any to any 00100 deny icmp from any to any # # ipfw show 00100 0 0 deny icmp from any to any 65535 931748 651891769 allow ip from any to any # PING EXT_IP_BEHIND_BRIDGE: 56 data bytes 64 bytes from EXT_IP_BEHIND_BRIDGE: icmp_seq=0 ttl=233 time=74.399 ms 64 bytes from EXT_IP_BEHIND_BRIDGE: icmp_seq=1 ttl=233 time=106.194 ms Seems not to be working :( Yours, -- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA "It is dangerous to be right when the government is wrong." - Voltaire