From owner-freebsd-stable@FreeBSD.ORG  Sat Jan 31 02:05:58 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C751B16A4CE
	for <freebsd-stable@freebsd.org>;
	Sat, 31 Jan 2004 02:05:58 -0800 (PST)
Received: from blackbyte.nl (d93139.upc-d.chello.nl [213.46.93.139])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 48A4143D45
	for <freebsd-stable@freebsd.org>;
	Sat, 31 Jan 2004 02:05:56 -0800 (PST)
	(envelope-from crasp@blackbyte.nl)
Received: from localhost (localhost [127.0.0.1])
	by blackbyte.nl (Postfix) with ESMTP
	id 751243D2C; Sat, 31 Jan 2004 11:05:53 +0100 (CET)
Received: by blackbyte.nl (Postfix, from userid 1000)
	id E93DE3D2A; Sat, 31 Jan 2004 11:05:46 +0100 (CET)
Date: Sat, 31 Jan 2004 11:05:46 +0100
From: Jeroen Ubbink <crasp@blackbyte.nl>
To: David Malone <dwmalone@maths.tcd.ie>
Message-ID: <20040131100546.GA51403@cartman.south-park>
References: <20040130083808.GA60129@cartman.south-park>
	<20040130134306.GA17621@walton.maths.tcd.ie>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040130134306.GA17621@walton.maths.tcd.ie>
User-Agent: Mutt/1.4.1i
X-Virus-Scanned: by AMaViS perl-11
cc: freebsd-stable@freebsd.org
Subject: Re: IPF, IPv6 and a bridge
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Jan 2004 10:05:58 -0000

On Fri, Jan 30, 2004 at 01:43:06PM +0000, David Malone wrote:
> On Fri, Jan 30, 2004 at 09:38:08AM +0100, Jeroen Ubbink wrote:
> > ipfw doesn't seem to block router advertisements on a
> > bridge either. Is this just a problem with both those firewall tools or is
> > it a problem in FreeBSD?
> 
> Bridged packets are special and are not usually firewalled. I could be
> mistaken, but I don't think you can get ipf to filter bridged packets
> in 4.9. You could use ipfw2 to do it though:
> 
> 	sysctl net.link.ether.bridge_ipfw=1
> 	ipfw add deny layer2 mac-type ipv6 recv tun1

Thank you, this seems to do the trick, though i have a mixed feeling about
ipf, since the ipf page (http://www.obfuscation.org/ipf/) describes in
their in there "ipf HOWTO" in chapter 9.2 that it IS possible to use ipf on
a bridge. Given that there is also net.link.ether.brigde_ipf one would say
it should work, and it does till a certain point. IPv6 however seems
impossible to block with ipf. Anyway, it works now, that's all i care about
actually :)

> 
> (You'll need to turn on ipfw2 to do this - see the ipfw man page for
> details).
> 
> 	David.
> 

Kind regards,
Jeroen Ubbink