From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 14:58:35 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE48816A47B for ; Wed, 13 Sep 2006 14:58:35 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id C33AF43D46 for ; Wed, 13 Sep 2006 14:58:33 +0000 (GMT) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from [192.168.2.10] ([192.168.2.10]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.0); Wed, 13 Sep 2006 16:58:31 +0200 Message-ID: <45081C97.1040206@ide.resurscentrum.se> Date: Wed, 13 Sep 2006 16:58:31 +0200 From: Jon Otterholm User-Agent: Thunderbird 1.5 (X11/20060204) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 13 Sep 2006 14:58:31.0654 (UTC) FILETIME=[14191060:01C6D745] Subject: Bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 14:58:35 -0000 Hi. According to man if_bridge one could filter L2-traffic with ipfw: From man if_bridge: ARP and REVARP packets are forwarded without being filtered and others that are not IP nor IPv6 packets are not forwarded when pfil_onlyip is enabled. IPFW can filter Ethernet types using mac-type so all packets are passed to the filter for processing. ARP is still forwarded though I have the following config: I have the following sysctl set: net.link.bridge.ipfw: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_onlyip: 1 ipfw list: 65533 deny ip from any to any MAC any any 65534 deny ip from any to any layer2 65535 deny ip from any to any ifconfig: em0: flags=8943 mtu 1500 options=b inet6 fe80::204:23ff:febd:2342%em0 prefixlen 64 scopeid 0x1 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active em1: flags=8802 mtu 1500 options=b ether 00:04:23:bd:23:43 media: Ethernet autoselect status: no carrier plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 vlan1000: flags=8843 mtu 1500 inet6 fe80::204:23ff:febd:2342%vlan1000 prefixlen 64 scopeid 0x5 inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active vlan: 1000 parent interface: em0 vlan1001: flags=8943 mtu 1500 inet6 fe80::204:23ff:febd:2342%vlan1001 prefixlen 64 scopeid 0x6 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active vlan: 1001 parent interface: em0 vlan1002: flags=8943 mtu 1500 inet6 fe80::204:23ff:febd:2342%vlan1002 prefixlen 64 scopeid 0x7 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active vlan: 1002 parent interface: em0 bridge0: flags=8043 mtu 1500 ether ac:de:48:83:8d:c6 priority 32768 hellotime 2 fwddelay 15 maxage 20 member: vlan1002 flags=3 member: vlan1001 flags=3 member: vlan10 flags=3 vlan10: flags=8943 mtu 1500 inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255 inet6 fe80::204:23ff:febd:2342%vlan10 prefixlen 64 scopeid 0x9 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active vlan: 10 parent interface: em0 ARP-broadcast can still travel between member IFs in bridge0. Have I missed something here? Do I have to use bridge instead of if_bridge? /Jon