From owner-freebsd-net  Fri Jan  8 15:02:39 1999
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA08612
          for freebsd-net-outgoing; Fri, 8 Jan 1999 15:02:39 -0800 (PST)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA08599
          for <net@freebsd.org>; Fri, 8 Jan 1999 15:02:35 -0800 (PST)
          (envelope-from luigi@labinfo.iet.unipi.it)
Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id VAA12691; Fri, 8 Jan 1999 21:55:50 +0100
From: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Message-Id: <199901082055.VAA12691@labinfo.iet.unipi.it>
Subject: Re: DummyNet & Bridging w/ipfw Question (fwd)
To: net@FreeBSD.ORG
Date: Fri, 8 Jan 1999 21:55:50 +0100 (MET)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This is going to be a recurrent question lately so maybe a reminder is
worthwhile.

> I have the full version of freeBSD 2.2.8 complete with IPFW and DummyNet
> options installed on a PC acting as a filter and bridge between two
> segments.  My last problem to solve is that arp requests are not getting
> sent (in either direction) through the bridge.  Unicast packets get sent,

ok i know why. You need to put
    option IPFIREWALL_DEFAULT_TO_ACCEPT
in your kernel config, and if you want a closed firewall you put a rule

	65534 deny ip from any to any

this is because ipfw is very IP-centric and all non-matching packets
(this includes ARP) are subject to the default rule #65535.

The above solves the problem, waiting for a better solution (in the
form of ipfw extensions to match non-ip packets).

Also note that bridge+ipfw at the moment has some glitches because
of a few missing ntohs() calls on the ip_off field of the IP header
(ipfw expects some fields including this to be in host order).
Symptoms are that packets with a DF bit set are mistaken as fragments
and may match other rules than those intended. A fix (trivial) is
in the works.

	cheers
	luigi
-----------------------------------+-------------------------------------
  Luigi RIZZO                      .
  EMAIL: luigi@iet.unipi.it        . Dip. di Ing. dell'Informazione
  HTTP://www.iet.unipi.it/~luigi/  . Universita` di Pisa
  TEL/FAX: +39-050-568.533/522     . via Diotisalvi 2, 56126 PISA (Italy)
-----------------------------------+-------------------------------------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message