From owner-freebsd-current  Thu Sep 28  7:40:36 2000
Delivered-To: freebsd-current@freebsd.org
Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6])
	by hub.freebsd.org (Postfix) with ESMTP id E46D737B422
	for <freebsd-current@FreeBSD.ORG>; Thu, 28 Sep 2000 07:40:15 -0700 (PDT)
Received: by jade.chc-chimes.com (Postfix, from userid 1001)
	id C81CD1C5C; Thu, 28 Sep 2000 10:40:14 -0400 (EDT)
Date: Thu, 28 Sep 2000 10:40:14 -0400
From: Bill Fumerola <billf@chimesnet.com>
To: Julian Elischer <julian@elischer.org>
Cc: "Boyd R. Faulkner" <faulkner@asgard.hos.net>,
	"Peter S. Housel" <housel@acm.org>, freebsd-current@FreeBSD.ORG
Subject: Re: Network bridge on current.
Message-ID: <20000928104014.W34501@jade.chc-chimes.com>
References: <20000928022230.A967@simon.catburg.net> <Pine.BSF.4.10.10009280032180.17364-100000@InterJet.elischer.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.10.10009280032180.17364-100000@InterJet.elischer.org>; from julian@elischer.org on Thu, Sep 28, 2000 at 12:38:40AM -0700
X-Operating-System: FreeBSD 3.3-STABLE i386
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, Sep 28, 2000 at 12:38:40AM -0700, Julian Elischer wrote:

> I am not sure about Luigi's bridging code. I know the dummynet stuff
> seems to connect with the ipfw code but I don't think that the 
> bridge code does... (I may be wrong) So I don't know how you plan on
> filtering the bridged segments..

You are wrong, but we'll forgive you. :->

from bridge(4):

         net.link.ether.bridge_ipfw

     Set to 1 to enable ipfw filtering on bridged packets.  Note that ipfw
     rules only apply to IP packets.

from ipfw(8):

     Each incoming or outgoing packet is passed through the ipfw rules.  If
     host is acting as a gateway, packets forwarded by the gateway are pro-
     cessed by ipfw twice.  In case a host is acting as a bridge, packets for-
     warded by the bridge are processed by ipfw once.

the 'bridged' keyword can be used to match only bridged packets, so:

	ipfw add allow tcp from any to any 22 setup bridged
	ipfw add allow tcp from any 22 to any established bridged

would allow ssh over a bridge, but in the absence of other rules, wouldn't
allow it to the actual machine (or if the machine is also a router(?!) it
wouldn't route ssh sessions either.)

-- 
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
                billf@chimesnet.com / billf@FreeBSD.org




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message