From owner-freebsd-net  Fri Feb  2 11:11:19 2001
Delivered-To: freebsd-net@freebsd.org
Received: from secure.webhotel.net (secure.webhotel.net [195.41.202.80])
	by hub.freebsd.org (Postfix) with SMTP id B7FE237B491
	for <freebsd-net@FreeBSD.ORG>; Fri,  2 Feb 2001 11:10:59 -0800 (PST)
Received: (qmail 64454138 invoked from network); 2 Feb 2001 19:13:13 -0000
Received: from mail-gateway.webhotel.net (195.41.202.215)
  by mail.webhotel.net with SMTP; 2 Feb 2001 19:13:13 -0000
X-Authenticated-Timestamp: 20:13:13(CET) on February 02, 2001
Received: (from hroi@localhost)
	by chewbacca.netgroup.dk (8.11.1/8.9.3) id f12JAxJ83438;
	Fri, 2 Feb 2001 20:10:59 +0100 (CET)
	(envelope-from hroi)
Date: Fri, 2 Feb 2001 20:10:59 +0100
From: Hroi Sigurdsson <hroi@netgroup.dk>
To: "Thomas T. Veldhouse" <veldy@veldy.net>
Cc: freebsd-stable@FreeBSD.ORG, freebsd-net@FreeBSD.ORG
Subject: Re: Bridge and IPFW woes ...
Message-ID: <20010202201059.A48414@chewbacca.netgroup.dk>
References: <006801c08d39$6974f9e0$3028680a@tgt.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <006801c08d39$6974f9e0$3028680a@tgt.com>; from veldy@veldy.net on Fri, Feb 02, 2001 at 10:58:48AM -0600
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Feb 02, 2001 at 10:58:48AM -0600, Thomas T. Veldhouse wrote:

> If I change the bridging code over to NETGRAPH - this scenario does not
> happen.  All communication works just fine between all the hosts and the
> Internet, however, all firewall rules that would apply to Host B and C seem
> to quit working.  In other words - all the hosts, except for Host A, are
> left completely unprotected.  I have tried using IPFILTER with both the in
> kernel bridging code and NETGRAPH and have come to the same conclusion.
> There is no way to filter the bridged packets.

Netgraph doesn't support ipfw. It is in the TODO and look at this
from sys/netgraph/ng_bridge.c:

 /* Run packet through ipfw processing, if enabled */
 if (priv->conf.ipfw[linkNum] && fw_enable && ip_fw_chk_ptr != NULL) {
  	/* XXX not implemented yet */
 }

It would be really nice to have code in there instead of that comment
or a seperate ipfw netgraph node altogether :-)
I've been reading through some of the netgraph code and it is a
beautiful thing to behold.

-- 
Hroi Sigurdsson                             hroi@netgroup.dk
Netgroup A/S                          http://www.netgroup.dk


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message