From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 10 10:35:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22F1016A4CE for ; Fri, 10 Dec 2004 10:35:35 +0000 (GMT) Received: from ww4.banrisul.com.br (ww4.banrisul.com.br [200.248.254.100]) by mx1.FreeBSD.org (Postfix) with SMTP id A6A9543D2D for ; Fri, 10 Dec 2004 10:35:33 +0000 (GMT) (envelope-from renato_barreto@banrisul.com.br) Received: from no.name.available by ww4.banrisul.com.br ESMTP; Fri, 10 Dec 2004 08:35:33 -0200 Received: From ne01.dgeral ([10.2.132.23]) by n045.bergs (WebShield SMTP v4.5 MR1a P0803.345); id 1102678567182; Fri, 10 Dec 2004 08:36:07 -0300 Date: Fri, 10 Dec 2004 08:31:16 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <794C454376DCD6118B3200104B86ECFF0C3F3C7C@n073.banrisul> content-class: urn:content-classes:message X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 X-MS-TNEF-Correlator: Thread-Topic: Firewall bridge mode with ipfw Thread-Index: AcTerABxQrHpfUqCEdmaVgAFXXXGsA== From: "Renato Barreto" To: Subject: Firewall bridge mode with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 10:35:35 -0000 Hi, In a bridge mode firewall (4.10-RELEASE) with IPFW2, how to implement a = more restrict rule to pass MAC packet. If MAC is blocked, bridge don=B4t work. /var/log/security: Dec 10 08:21:47 FB06 /kernel: ipfw: 65000 Accept MAC in via xl0 Dec 10 08:26:14 FB06 /kernel: ipfw: 65000 Accept MAC in via vr0 The rule 65000 is completly open: #ipfw show 65000 6298 309886 allow log ip from any to any layer2 keep-state=20 #/etc/sysctl.conf sysctl net.link.ether.bridge=3D1 sysctl net.link.ether.bridge_ipfw=3D1 sysctl net.link.ether.bridge_cfg=3Dxl0,vr0 TIA, Renato