From owner-freebsd-net@FreeBSD.ORG Thu Dec 16 22:51:51 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DBA016A4CE for ; Thu, 16 Dec 2004 22:51:51 +0000 (GMT) Received: from borgtech.ca (borgtech.ca [216.187.106.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id C423643D49 for ; Thu, 16 Dec 2004 22:51:50 +0000 (GMT) (envelope-from asegu@borgtech.ca) Received: from asegulaptop (unknown [161.53.212.202]) by borgtech.ca (Postfix) with ESMTP id 30FD954C3 for ; Thu, 16 Dec 2004 22:52:50 +0000 (GMT) From: "Andrew Seguin" To: Date: Thu, 16 Dec 2004 23:51:00 +0100 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcTjwbZEQOKQzSfsScqWspCg6UGulA== Message-Id: <20041216225250.30FD954C3@borgtech.ca> Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Curiosity in IPFW/Freebsd bridge. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 22:51:51 -0000 Hello, First off, a great thanks to this list who pointed out my = hardware issue (rl series cards). I now have the bridge on two Intel Pro NICS and = I use the on-board sis card for console access, and my average ping time = is a 2ms average to the router, passing about a solid 2MB/s. =20 My current situation is that it seems IPFW is filtering by IP address, = but never matching an IP address/Port number combo (ex: =93deny ip from IP = to any=94 works, but =93deny ip from IP to any 80=94 does not work). =20 The firewall rules are as follows: #1. Allow all SSH traffic until rules are down safe. ipfw add 1 allow ip from any to LOCAL_IP 22 #ipfw add 100 TEST (either =93deny ip from any to any=94 or =93deny ip = from any to any 80=94). ipfw add 500 pipe 1 ip from any to any ipfw pipe 1 config bw 20480Kbit/s default> allow ip from any to any =20 The setup is as follows in rc.conf: Ifconfig_fxp0=3D=94up=94 Ifconfig_fxp1=3D=94up=94 Ifconfig_sis0=3D=94LOCAL_IP=85=94 =20 And in sysctl.conf: net.link.ether.bridge.enable=3D1 net.link.ether.bridge.config=3Dfxp0,fxp1 net.link.ether.bridge.ipfw=3D1 =20 Kernel has been built with IPFW and DUMMYNET. Freebsd 5.3 (RELENG_5, cvsupdated and recompiled about a week ago). =20 The server was working fine when I had it filtering between two switches (secondary to primary). I was having web/email/irc traffic bypass the = pipe, and used the pipe to limit the speed of those who use P2P. Now, I have = this situation with the firewall between the main switch and the router. I really need to get this working for this purpose again fast or else = I=92ll have a repeat of an earlier =93internal=94 DoS, so any and all tips, = comments, pointers would be greatly appreciated! =20 I wonder if it is because I haven=92t assigned an IP address on the fxp = facing the inside network=85? Haven=92t had the time to try this yet (11:50pm = local time!) since I don=92t remember which fxp card is facing = internal/external and so I will try in the morning. =20 Again, many thanks! Andrew Seguin =20 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 =20