Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Dec 2001 10:25:15 -0600
From:      "John Brooks" <john@day-light.com>
To:        <freebsd-isp@freebsd.org>
Subject:   RE: Ipf & Bridging ???
Message-ID:  <000801c183f2$c1a317e0$1505010a@daylight.net>
In-Reply-To: <20011213160654.81416.qmail@web20108.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Did you reload the ruleset and flush out the old rules? the default
setting is to pass all.

ipf -Fa -f /path/to/rules/ipf.rules -E

Another thing to check would be if you enabled ipf with a kernel
recompile, it's not turned on in the default kernel.

Then check if you enabled ipf in /etc/rc.conf?

ipfilter_enable="YES"

Also remember that in ipf the LAST matching rule wins, so if your
blocking rule is at the end of the ruleset and you have a pass rule with
the "quick" keyword before it that matches the packet will never reach
the blocking rule.

HTH

--
John Brooks
Email:  john@stlbsd.org



-----Original Message-----
From: owner-freebsd-isp@FreeBSD.ORG
[mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Fabrizio Ravazzini
Sent: Thursday, December 13, 2001 10:07 AM
To: freebsd-isp@freebsd.org
Subject: Ipf & Bridging ???


Hello all I've done a bridge between Internet and my
DMZ:
		Internet
		   |
                   |
              Cisco Router
		   |
                   |
		   |rl0
		FreeBSD 4.3
		Bridge
		   |rl1
 		   |
		  HUB----DMZ

The bridge works very well,for example from the DMZ
the servers in it can "see" Internet and from internet
I can "see" the servers in the DMZ(Public Ip's).
The problem is with ipf.
If for example we put a simple rule in /etc/ipf.rules
like this:
block in quick on rl0

in order to block all the traffic going to the DMZ it
happens that packets originated from internet they
by-pass my bridge/firewall!
If you ping for example the bridge they are blocked
but if you ping a machine in the dmz it responds!
arghhh..
I tried to put the rules for the bridge founded in the
Ipfilter based firewalls howto but they didn't work.
Any Idea?
Isn't ipfilter supported under freebsd?
Have I to use ipfw?
Many thanks all
bye



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c183f2$c1a317e0$1505010a>