From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 07:51:04 2014 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F10E289 for ; Sat, 4 Oct 2014 07:51:04 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E09E8F4A for ; Sat, 4 Oct 2014 07:51:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s947omIj082355; Sat, 4 Oct 2014 17:50:49 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 4 Oct 2014 17:50:48 +1000 (EST) From: Ian Smith To: Jack Barber Subject: Re: trouble with ipfw on FreeBSD 10 In-Reply-To: <20141001153412.R48482@sola.nimnet.asn.au> Message-ID: <20141004172254.G56328@sola.nimnet.asn.au> References: <5429F7A6.3060701@nyi.net> <20140930150819.Y48482@sola.nimnet.asn.au> <542B34A5.2030505@nyi.net> <20141001153412.R48482@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2014 07:51:04 -0000 On Wed, 1 Oct 2014 15:54:57 +1000, Ian Smith wrote: > On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote: > > On 09/30/2014 01:29 AM, Ian Smith wrote: > > > On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote: > > > > We are having trouble getting ipfw to work over a bridged interface. > > > > > > > > for example: > > > > > > > > machine 1 -> Bridged interface FreeBSD 10 -> machine 2. > > > > > > > > machine 1 - 192.168.20.20 > > > > machine 2 - 192.168.20.25 > > > > > > > > now I set something like this in /etc/ipfw.rules: > > > > > > > > $IPFWcmd add deny all from 192.168.20.20/24 to any > > > > $IPFWcmd add deny all from any to 192.168.20.20/24 > > > > > > > > where both machine 1 and machine 2 are on said subnet and already work. > > > > > > Please confirm that these two are only connected via two interfaces on > > > the bridge/ipfw box, with no switch involved? And that these rules, > > > once working, should deny traffic between ANY hosts in this /24 subnet? > > > > > > > when I reload the rules, I am unable to stop a connection between > > > > machine 1 and machine 2. > > > > > > > > I've already made sure that ipfw is running(loaded), and the rules > > > > appear to take, and even show up with "ipfw show". > > > > > > > > # ipfw show > > > > ... > > > > 01700 0 0 deny ip from 192.168.20.0/24 to any > > > > 01800 0 0 deny ip from any to 192.168.20.0/24 > > > > 65535 9227 11389032 allow ip from any to any > > > > > > > > However, there is no effect on data travelling over the pipe at all. > > > > > > > > This setup was confirmed many times to work with FreeBSD 9.2, but it > > > > does not work on 10. any help is appreciated. > > > > > > What values are set for these sysctls? > > > > > > net.link.ether.ipfw: 0 > > > Controls whether layer-2 packets are passed to ipfw. Default is > > > no. > > > > > > net.link.bridge.ipfw: 0 > > > Controls whether bridged packets are passed to ipfw. Default is > > > no. > > > > > > cheers, Ian > > > > on 192.168.20.0/24 the network was set up soley as a test network. It is > > compromised of two load-generating machines on either side(192.168.20.20 > > and 192.168.20.25), and a FreeBSD 10 machine in the middle which has a > > double headed fibre nic bridged to connect both machines through the > > FreeBSD 10 machine. > > > > # sysctl net.link.bridge.ipfw > > net.link.bridge.ipfw: 1 > > > > # sysctl net.link.ether.ipfw > > net.link.ether.ipfw: 0 > > > > > > furthermore, I am unable to find a good guide or refrence material to > > sysctl options. > > Jack, I'm posting this back to the list. I haven't set up a filtering > bridge since about 2005, and that was with the old bridge(?) on FreeBSD > 4.8 and 4.10, rather than if_bridge(4). I really can't recall whether > net.link.ether.ipfw also needed to be set. > > Since 'bridged' is a synonym for 'layer2', I'm not clear from ipfw(8) > either .. nor from if_bridge(4), especially regarding use of the > net.link.bridge.pfil_* sysctls - but some people here will know .. They will know, but that doesn't mean that they'll say :) I dug up the old filtering bridge setup, used from 2003-2009, and things were rather different with the old bridge(4); here's its sysctl.conf: net.link.ether.bridge_cfg=rl0,vr0 net.link.ether.bridge=1 net.link.ether.bridge_ipfw=1 Also, in those days, you could only filter bridged packets on the way in; once passed inbound they never were passed to ipfw again .. I don't know if that's still the case with if_bridge(4), but I assume not (?) However looking at ipfw(8) PACKET FLOW, it seems likely that you'd need to also set net.link.ether.ipfw=1 to pass bridged / layer2 packets to ipfw. You might see if that helps? You could also add something like the rules at the end of that section to check inbound/outbound packet flow at both layer2 and layer3, even if just with 'count' rules. I don't disagree that documentation of this aspect is, er, thin. cheers, Ian