From owner-freebsd-stable@FreeBSD.ORG  Sat Jul  7 08:39:28 2007
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: stable@freebsd.org
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1930F16A46C
	for <stable@freebsd.org>; Sat,  7 Jul 2007 08:39:28 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id AB18B13C45E
	for <stable@freebsd.org>; Sat,  7 Jul 2007 08:39:26 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id SAA09531;
	Sat, 7 Jul 2007 18:25:52 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sat, 7 Jul 2007 18:25:51 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Dave McCammon <davemac11@yahoo.com>
In-Reply-To: <868934.77972.qm@web32811.mail.mud.yahoo.com>
Message-ID: <Pine.BSF.3.96.1070707180324.4516A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: stable@freebsd.org
Subject: Re: ipfw with if_bridge oddity
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2007 08:39:28 -0000

On Fri, 6 Jul 2007, Dave McCammon wrote:

 > I can't seem to grasp why this is working differently.
 > FreeBSD 6.2 using ipfw + if_bridge
 > 
 > LAN -- em1(if_bridge + ipfw)em0 -- internet
 > 
 > I am at xx.xx.16.6 and try to ping say www.yahoo.com
 > 
 > in ruleset:
 > 1100 allow icmp from any to xx.xx.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
 > 2100 allow ip from xx.xx.16.0/27 to any in via em1

Seeing noone more knowledgeable has had a go, and with the caveat that
I've never setup an if_bridge(4) but still maintain a bridge(4)+ipfw ..

Rule 2100 lets your ping in, and 1100 allows the response (in and out)

 > gets dropped by following rule as shown in logs:
 > 
 > 4700 deny log ip from any to any
 > 
 > Log entry: ipfw: 4700 Deny ICMP:8.0 xx.xx.16.6 69.147.114.210 out via em0

Denied because you have no rule letting it go out, it seems.

 > If I add this rule all works great:
 > 
 > 2101 allow icmp from xx.xx.16.0/27 to any recv em1

Which allows it both in and out (neither specified)

 > Why would the "recv em1" work and the "in via em1" get blocked?
 > 
 > I just changed from using bridge(4) to if_bridge using the same ruleset.

Only inbound bridged packets are passed to ipfw from bridge(4) .. once
allowed in, they go out.  My reading of if_bridge(4) suggests that ipfw
(etc) may also be examining outbound bridged packets, depending on the
sysctls.  How have you got the sysctls mentioned in if_bridge(4) set?

 > The rest of my ruleset seems to be working fine but this problem is causing me a little paranoia
 > about the effectiveness of the firewall.
 > 
 > Also, should I still be seeing "deny (snip) in via bridge0" messages in by logs
 > if I have this set "net.link.bridge.pfil_bridge: 0"?

Dunno.

Cheers, Ian