Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 30 Jun 2002 22:29:20 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        ???? ??????? <ilia@chel.skbkontur.ru>
Cc:        questions@FreeBSD.ORG
Subject:   Re: ipfw: broadcast thing
Message-ID:  <20020630212920.GA42452@happy-idiot-talk.infracaninophi>
In-Reply-To: <20020630234304.F1147-100000@sol.chel.skbkontur.ru>
References:  <20020630234304.F1147-100000@sol.chel.skbkontur.ru>
index | next in thread | previous in thread | raw e-mail 

On Sun, Jun 30, 2002 at 11:48:56PM +0600, ???? ??????? wrote:
> Dear Sirs,
> 
> for example, rl0 and rl1 are local (non-Internet) interfaces.
> 
> (I'm going to switch to stateful rules soon, but for now I've configured
> stateless firewall):
> 
> ipfw add 100 allow ip from me to any
> ipfw add 200 allow ip from any to me via rl0
> ipfw add 200 allow ip from any to me via rl1
> 
> that's simple, that's good, I even like it:)
> but such configuration doesn't pass broadcast packets:
> 
> Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520
> 255.255.255.255:520 in via rl1
> Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.100.28:138
> 192.168.100.255:138 in via rl0
> Jun 30 23:43:14 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520
> 255.255.255.255:520 in via rl1
> Jun 30 23:43:45 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520
> 255.255.255.255:520 in via rl1
> 
> 
> can anybody help me with "allow"ing broadcast traffic ??

If you know what the IP address is on each of your interfaces, it more
efficient to quote it explicitly in your IPFW rulesets.  You can also
change the filter to take account of the local network number and
netmask, which will allow broadcast packets as well:

ipfw add 100 allow ip from 192.168.100.28 to any
ipfw add 150 allow ip from 192.168.200.3 to any
ipfw add 200 allow ip from any to 192.168.100.0/24 via rl0
ipfw add 250 allow ip from any to 192.168.200.0/24 via rl1

The fact that you're getting RIP broadcasts to 255.255.255.255 on your
rl1 interface is almost definitely an error probably due to a
misconfigured netmask on your router.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
Tel: +44 1628 476614                                  Marlow
Fax: +44 0870 0522645                                 Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020630212920.GA42452>