Date: Thu, 16 Dec 2004 23:51:00 +0100 From: "Andrew Seguin" <asegu@borgtech.ca> To: <freebsd-net@freebsd.org> Subject: Curiosity in IPFW/Freebsd bridge. Message-ID: <20041216225250.30FD954C3@borgtech.ca>
next in thread | raw e-mail | index | archive | help
Hello, First off, a great thanks to this list who pointed out my = hardware issue (rl series cards). I now have the bridge on two Intel Pro NICS and = I use the on-board sis card for console access, and my average ping time = is a 2ms average to the router, passing about a solid 2MB/s. =20 My current situation is that it seems IPFW is filtering by IP address, = but never matching an IP address/Port number combo (ex: =93deny ip from IP = to any=94 works, but =93deny ip from IP to any 80=94 does not work). =20 The firewall rules are as follows: #1. Allow all SSH traffic until rules are down safe. ipfw add 1 allow ip from any to LOCAL_IP 22 #ipfw add 100 TEST (either =93deny ip from any to any=94 or =93deny ip = from any to any 80=94). ipfw add 500 pipe 1 ip from any to any ipfw pipe 1 config bw 20480Kbit/s default> allow ip from any to any =20 The setup is as follows in rc.conf: Ifconfig_fxp0=3D=94up=94 Ifconfig_fxp1=3D=94up=94 Ifconfig_sis0=3D=94LOCAL_IP=85=94 =20 And in sysctl.conf: net.link.ether.bridge.enable=3D1 net.link.ether.bridge.config=3Dfxp0,fxp1 net.link.ether.bridge.ipfw=3D1 =20 Kernel has been built with IPFW and DUMMYNET. Freebsd 5.3 (RELENG_5, cvsupdated and recompiled about a week ago). =20 The server was working fine when I had it filtering between two switches (secondary to primary). I was having web/email/irc traffic bypass the = pipe, and used the pipe to limit the speed of those who use P2P. Now, I have = this situation with the firewall between the main switch and the router. I really need to get this working for this purpose again fast or else = I=92ll have a repeat of an earlier =93internal=94 DoS, so any and all tips, = comments, pointers would be greatly appreciated! =20 I wonder if it is because I haven=92t assigned an IP address on the fxp = facing the inside network=85? Haven=92t had the time to try this yet (11:50pm = local time!) since I don=92t remember which fxp card is facing = internal/external and so I will try in the morning. =20 Again, many thanks! Andrew Seguin =20 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041216225250.30FD954C3>