Date: Mon, 1 Jul 2002 07:52:05 +0600 (YEKST) From: =?koi8-r?B?6czY0SD7ydDJw8nO?= <ilia@chel.skbkontur.ru> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: questions@FreeBSD.ORG Subject: Re: ipfw: broadcast thing Message-ID: <20020701075031.H5982-100000@sol.chel.skbkontur.ru> In-Reply-To: <20020630212920.GA42452@happy-idiot-talk.infracaninophi>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, Jun 30, 2002 at 11:48:56PM +0600, ???? ??????? wrote: > > Dear Sirs, > > > > for example, rl0 and rl1 are local (non-Internet) interfaces. > > > > (I'm going to switch to stateful rules soon, but for now I've configured > > stateless firewall): > > > > ipfw add 100 allow ip from me to any > > ipfw add 200 allow ip from any to me via rl0 > > ipfw add 200 allow ip from any to me via rl1 > > > > that's simple, that's good, I even like it:) > > but such configuration doesn't pass broadcast packets: > > > > Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > > 255.255.255.255:520 in via rl1 > > Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.100.28:138 > > 192.168.100.255:138 in via rl0 > > Jun 30 23:43:14 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > > 255.255.255.255:520 in via rl1 > > Jun 30 23:43:45 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > > 255.255.255.255:520 in via rl1 > > > > > > can anybody help me with "allow"ing broadcast traffic ?? > > If you know what the IP address is on each of your interfaces, it more > efficient to quote it explicitly in your IPFW rulesets. You can also > change the filter to take account of the local network number and > netmask, which will allow broadcast packets as well: > > ipfw add 100 allow ip from 192.168.100.28 to any > ipfw add 150 allow ip from 192.168.200.3 to any > ipfw add 200 allow ip from any to 192.168.100.0/24 via rl0 > ipfw add 250 allow ip from any to 192.168.200.0/24 via rl1 no, I don't want to pass "from any to any", I just want to pass "from me to any" + "from any to me" + "broadcast things" (no matter what is the mean of broadcast, RIP, SMB or whatever) > > The fact that you're getting RIP broadcasts to 255.255.255.255 on your > rl1 interface is almost definitely an error probably due to a > misconfigured netmask on your router. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > Tel: +44 1628 476614 Marlow > Fax: +44 0870 0522645 Bucks., SL7 1TH UK > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020701075031.H5982-100000>