Date: Fri, 30 Jan 2004 09:38:08 +0100 From: Jeroen Ubbink <crasp@blackbyte.nl> To: freebsd-stable@freebsd.org Subject: IPF, IPv6 and a bridge Message-ID: <20040130083808.GA60129@cartman.south-park>
next in thread | raw e-mail | index | archive | help
Hello, I have built a VPN with some friends, we have all have a tap-device that handles data for the VPN. The tap-device is bridged to our local network interfaces. e.g.: net.link.ether.bridge_cfg: tap1,fxp0 net.link.ether.bridge: 1 net.link.ether.bridge_ipf: 1 Now some of my friends also have an IPv6 tunnel set up, just like me and are running rtadvd to give their internal network IPv6 addresses and routes. The point is that it goes across the entire VPN. So the hosts in my network get routes and IP's out of the prefixes of friends, which in most cases makes traffic with the outside world through IPv6 impossible. Now what i want my IPF to do is to block all the router advertisements coming in on tap1. Easier done than said. A simple rule: block in quick on tap1 all. Load it with ipf -6 and it works as a IPv6 rule. This works for the machine with the TAP device in it. It doesn't get an IP or a route from anybody else anymore, but it doesn't prevent the router advertisements from going to the rest of my hosts. I even tried to block ipv6-icmp and load it with the IPv4 rules, still the same. IPv4 however seems to block like a charm, blocking DHCP to prevent other hosts from getting an IP of my network or making sure my network doesn't get IP's from other networks seems to work fine. I'm lost. ipfw doesn't seem to block router advertisements on a bridge either. Is this just a problem with both those firewall tools or is it a problem in FreeBSD? thanks in advance, Jeroen Ubbink
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040130083808.GA60129>