From owner-freebsd-questions Sun Jun 30 14:29:47 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 185E637B400 for ; Sun, 30 Jun 2002 14:29:43 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0ABF943E13 for ; Sun, 30 Jun 2002 14:29:42 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.4/8.12.4) with ESMTP id g5ULTQtD042498; Sun, 30 Jun 2002 22:29:26 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.4/8.12.4/Submit) id g5ULTKE5042497; Sun, 30 Jun 2002 22:29:20 +0100 (BST) Date: Sun, 30 Jun 2002 22:29:20 +0100 From: Matthew Seaman To: ???? ??????? Cc: questions@FreeBSD.ORG Subject: Re: ipfw: broadcast thing Message-ID: <20020630212920.GA42452@happy-idiot-talk.infracaninophi> References: <20020630234304.F1147-100000@sol.chel.skbkontur.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020630234304.F1147-100000@sol.chel.skbkontur.ru> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jun 30, 2002 at 11:48:56PM +0600, ???? ??????? wrote: > Dear Sirs, > > for example, rl0 and rl1 are local (non-Internet) interfaces. > > (I'm going to switch to stateful rules soon, but for now I've configured > stateless firewall): > > ipfw add 100 allow ip from me to any > ipfw add 200 allow ip from any to me via rl0 > ipfw add 200 allow ip from any to me via rl1 > > that's simple, that's good, I even like it:) > but such configuration doesn't pass broadcast packets: > > Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > 255.255.255.255:520 in via rl1 > Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.100.28:138 > 192.168.100.255:138 in via rl0 > Jun 30 23:43:14 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > 255.255.255.255:520 in via rl1 > Jun 30 23:43:45 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > 255.255.255.255:520 in via rl1 > > > can anybody help me with "allow"ing broadcast traffic ?? If you know what the IP address is on each of your interfaces, it more efficient to quote it explicitly in your IPFW rulesets. You can also change the filter to take account of the local network number and netmask, which will allow broadcast packets as well: ipfw add 100 allow ip from 192.168.100.28 to any ipfw add 150 allow ip from 192.168.200.3 to any ipfw add 200 allow ip from any to 192.168.100.0/24 via rl0 ipfw add 250 allow ip from any to 192.168.200.0/24 via rl1 The fact that you're getting RIP broadcasts to 255.255.255.255 on your rl1 interface is almost definitely an error probably due to a misconfigured netmask on your router. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message