From owner-freebsd-net@FreeBSD.ORG Wed Aug 29 18:31:31 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47ED51065673 for ; Wed, 29 Aug 2012 18:31:31 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id 01DDC8FC1D for ; Wed, 29 Aug 2012 18:31:30 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:b893:d73f:3750:2064]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 0F73D4AC2D; Wed, 29 Aug 2012 22:31:28 +0400 (MSK) Date: Wed, 29 Aug 2012 22:31:25 +0400 From: Lev Serebryakov Organization: FreeBSD Project X-Priority: 3 (Normal) Message-ID: <1807373989.20120829223125@serebryakov.spb.ru> To: Michael Sierchio In-Reply-To: References: <1865271844.20120829131610@serebryakov.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org Subject: Re: ipfw, "ip|all" proto and PPPoE -- does PPPoE packets passed to ipfw? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lev@FreeBSD.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Aug 2012 18:31:31 -0000 Hello, Michael. You wrote 29 =E0=E2=E3=F3=F1=F2=E0 2012 =E3., 19:01:08: >> I have interface (vr1), most of traffic on which is PPPoE. I have ipfw >> firewall, which splits traffic by interfaces via: >> >> add 2000 skipto 5000 all from any to any via em0 >> add 2010 skipto 7000 all from any to any via wlan0 >> add 2020 skipto 11000 all from any to any via vr1 >> add 2030 skipto 13000 all from any to any via ng0 >> add 2040 skipto 15000 ipv6 from any to any via gif0 >> add 2999 deny all from any to any >> ... >> And later here are some basic checks, nat, "check-state" and some >> stateful rules. MS> Consider separating traffic not only by interface but also direction It is done in rules 1000 and 1010, 2xxx is for incoming, 3xxx for outgoing. It is only a sample/ MS> ip from any to any in recv vr0 MS> and outgoing MS> ip from any to any out xmit vr0 Yep, I'll collapse my two-rule chains in one rule. >> Does PPPoE packets match rule 2020, and other rules like "nat 1 ip >> from any to any"? MS> Yes, and it seems that that is not what you want. The packets will be MS> seen first by the firewall, then passed to whatever is handling PPPoE But there is no rule for it, and default policy is "deny"... But it works. MS> on the local box, then re-injected into the IP stack, etc. for MS> processing by firewall rules again. MS> Is there a pppX pseudo-interface? ng0, as I'm using mpd5, not system ppp. --=20 // Black Lion AKA Lev Serebryakov