From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 14:13:45 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53B7E16A420 for ; Tue, 21 Feb 2006 14:13:45 +0000 (GMT) (envelope-from listas@itm.net.br) Received: from venom.itm.net.br (venom.itm.net.br [201.30.187.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FBA043D60 for ; Tue, 21 Feb 2006 14:13:39 +0000 (GMT) (envelope-from listas@itm.net.br) Received: (qmail 76875 invoked by uid 89); 21 Feb 2006 14:13:27 -0000 Received: by simscan 1.1.0 ppid: 76870, pid: 76871, t: 0.2509s scanners: attach: 1.1.0 clamav: 0.88/m:35/d:1281 spam: 3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on venom.itm.net.br X-Spam-Level: X-Spam-Status: No, score=-4.4 required=10.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.0 Received: from ironman.fsonline.com.br (HELO ironman) (201.30.187.70) by venom.itm.net.br with SMTP; 21 Feb 2006 14:13:27 -0000 Message-ID: <000a01c636f0$d3303280$0e4fdfc8@ironman> From: "Cesar" To: Date: Tue, 21 Feb 2006 11:12:15 -0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Antivirus: avast! (VPS 0608-0, 20/02/2006), Outbound message X-Antivirus-Status: Clean Cc: Subject: ipfw2 with mac filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 14:13:45 -0000 Hi, I wanted to finish my firewall rules doing a "deny all from any to any", but I can't do that with mac filtering at same time. Let me explain. Since I use ipfw mac filter, I have the sysctl variable "net.link.ether.ipfw: 1"; My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2. An example of my rules: 00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any 00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any 65535 0 0 allow ip from any to any This works fine, the rules 1 and 2 get some match when I do ping from Windows box to FreeBSD. After this test, I added the rule "65534 0 0 deny ip from any to any". It still works, but after some time if I have no traffic from 10.0.0.2, FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", I get : ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet] So, I can't ping my FreeBSD box anymore because it doesnt accept my arp packets. I tried to log the deny rule and I get some lines telling "Deny mac in". I tried to add another rule before the deny all "ipfw add 100 allow mac any any", but this rule become "allow ip from any to any MAC any any", so I cant end my firewall rules with a "deny all from any to any". Is this a problem? Are there any workaround for this? I didnt tried to use a fixed arp table, but I will dont do that if not necessary. Thanks Cesar