From owner-freebsd-ipfw@FreeBSD.ORG Fri May 4 13:51:27 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 19E0816A401 for ; Fri, 4 May 2007 13:51:27 +0000 (UTC) (envelope-from elxanzade@mail.ru) Received: from mx4.mail.ru (fallback.mail.ru [194.67.57.14]) by mx1.freebsd.org (Postfix) with ESMTP id 64E6413C4B8 for ; Fri, 4 May 2007 13:51:23 +0000 (UTC) (envelope-from elxanzade@mail.ru) Received: from mx5.mail.ru (mx5.mail.ru [194.67.23.25]) by mx4.mail.ru (mPOP.Fallback_MX) with ESMTP id 39B39365784 for ; Fri, 4 May 2007 16:16:00 +0400 (MSD) Received: from [62.217.135.82] (port=56270 helo=debian.local) by mx5.mail.ru with asmtp id 1HjwhX-000KoJ-00; Fri, 04 May 2007 16:15:55 +0400 From: Sarkhan Elkhanzade To: Nicolargo In-Reply-To: <10303574.post@talk.nabble.com> References: <10303574.post@talk.nabble.com> Content-Type: text/plain Organization: Azercell JV Date: Fri, 04 May 2007 17:16:13 +0500 Message-Id: <1178280974.4148.2.camel@debian.azercell.com> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW + Bridge + Routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sarxan@elxanzade.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 May 2007 13:51:27 -0000 On Thu, 2007-05-03 at 05:11 -0700, Nicolargo wrote: > Hi all, > > here is y configuration: > > PC3 > | > | > FW > / \ > / \ > PC1 PC2 > > FW: FreeBSD 6.2 > Interface PC1 and PC2: bridged (172.18.0.254) > Interface PC3: Routed (172.16.1.2) > PC1: 172.18.0.1 > PC2: 172.18.0.2 > PC3: 172.16.1.1 > > Ipfw: > ipfw add 1 allow ip from any to any MAC any any > ipfw add 2 allow ip from any to any > > Bridge: > net.link.ether.bridge_cfg: > net.link.ether.bridge_ipfw: 0 > net.link.ether.bridge_ipf: 0 > net.link.ether.bridge.config: > net.link.ether.bridge.enable: 1 > net.link.ether.bridge.predict: 1250 > net.link.ether.bridge.dropped: 0 > net.link.ether.bridge.packets: 1294 > net.link.ether.bridge.ipfw_collisions: 0 > net.link.ether.bridge.ipfw_drop: 0 > net.link.ether.bridge.copy: 0 > net.link.ether.bridge.ipfw: 0 > net.link.ether.bridge.ipf: 0 > net.link.ether.bridge.debug: 0 > net.link.ether.bridge.version: 031224 > net.link.bridge.ipfw: 1 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 1 > net.link.bridge.ipfw_arp: 0 > net.link.bridge.pfil_onlyip: 1 > > rc.conf: > cloned_interfaces="bridge0" > ifconfig_bridge0="addm bge0 addm em0 up" > ifconfig_bge0="inet 172.18.0.254 netmask 255.255.255.0" > ifconfig_em0="up" > ifconfig_em2="inet 172.16.1.2 netmask 255.255.255.0" > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > > The problem is the following: > PING PC1 -> PC2 : OK > PING PC2 -> PC1: OK > PING FW -> ANY: OK > PING PC1 -> PC3: NOK > PING PC2 -> PC3: NOK > PING PC3 -> ANY: NOK > > During a PING between PC1 and PC3, a tcpdump on the em2 interface shows: > 14:10:43.564010 IP 172.18.0.1 > 172.16.1.1: ICMP echo request, id 34831, seq > 7993, length 64 > 14:10:43.564687 IP 172.16.1.1 > 172.18.0.1: ICMP echo reply, id 34831, seq > 7993, length 64 > > but the reply packet is lost in the firewall and never redirected to the > bridge0 interface... > Any idea ? > > Nicolas > Post here "#route print" on FW PC3 PC1