From owner-freebsd-questions@FreeBSD.ORG Sat Jul 10 10:47:19 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E831516A4CE for ; Sat, 10 Jul 2004 10:47:19 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.203]) by mx1.FreeBSD.org (Postfix) with SMTP id 96F1443D2F for ; Sat, 10 Jul 2004 10:47:19 +0000 (GMT) (envelope-from buuyou@gmail.com) Received: by mproxy.gmail.com with SMTP id d19so268546rnf for ; Sat, 10 Jul 2004 03:47:02 -0700 (PDT) Received: by 10.38.99.39 with SMTP id w39mr33737rnb; Sat, 10 Jul 2004 03:47:02 -0700 (PDT) Message-ID: <7d2ccc0e04071003477ac8ab9f@mail.gmail.com> Date: Sat, 10 Jul 2004 04:47:02 -0600 From: Buuyo To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: ipfw and matching bridged packets with both 'xmit' and 'recv' X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jul 2004 10:47:20 -0000 Hello. I have a functioning bridge set up between rl0 and rl2 on a machine running FreeBSD 4.9, and I'd like to count tcp connections initiated from the clients on the rl2 side to hosts on the rl0 side, but not from the machine functioning as a bridge. I set the sysctl values net.link.ether.ipfw and net.link.ether.bridge_ipfw to 1, and I invisioned this ipfw command: ipfw add 1 count tcp from any to any out recv rl2 xmit rl0 bridged setup and, as expected, ended up with this: root@bwca$ ipfw show 00001 0 0 count tcp from any to any out recv rl2 xmit rl0 layer2 setup 60000 130074716 89026633533 allow ip from any to any 65535 252 21461 deny ip from any to any >From a client on the rl2 side of the bridge, I established a tcp connection to a host on the rl0 side, but an ipfw show 1 revealed that the counter hadn't been incremented. What am I missing? I understand, based on my interpretation of the "recv | xmit | via {ifX | if* | ipno | any}" section of the ipfw manual page that you can have recv and xmit both in the same rule provided that it's outbound. What can I do to get my desired functionality? Thanks. I'm sorry, but I'm not subscribed to the freebsd-questions list. Could you please send a carbon copy of your message to this email address?