From owner-freebsd-questions@FreeBSD.ORG Tue Jul 3 16:19:21 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4056916A469 for ; Tue, 3 Jul 2007 16:19:21 +0000 (UTC) (envelope-from davemac11@yahoo.com) Received: from web32803.mail.mud.yahoo.com (web32803.mail.mud.yahoo.com [68.142.206.33]) by mx1.freebsd.org (Postfix) with SMTP id E184B13C43E for ; Tue, 3 Jul 2007 16:19:20 +0000 (UTC) (envelope-from davemac11@yahoo.com) Received: (qmail 80324 invoked by uid 60001); 3 Jul 2007 15:52:39 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=Ns38YikcHbULSqs/oI6oZBqxpuWjw9jHBX7L4gNXoMAYheL5ufrMIbZLhVFKrSuEpoUv7sKs8W7OF0NwY/VBl+2L9labpU/CPvAKX0YdWIoUqfSuuMsIKuyxWVwhAi1/XHU4wHzor5m6MDvkNhJ+Sf7vzZkePMlLd7mBNwpVcOU=; X-YMail-OSG: rMd17nsVM1kI46rKIbMpGzWvz9mT5Pc59pIEE0uER8zHyEyxuDmYxrKHCfGxySGYwGRIAYJ_PuSIDgW46kmglFhYsyjvfuYE1pmK_UBdjG9Wad1zwPPSsuydiL5EI3ri4QZQgbI6RROOPEAwaf8k5NWV Received: from [157.91.16.21] by web32803.mail.mud.yahoo.com via HTTP; Tue, 03 Jul 2007 08:52:39 PDT X-Mailer: YahooMailRC/651.38 YahooMailWebService/0.7.41.16 Date: Tue, 3 Jul 2007 08:52:39 -0700 (PDT) From: Dave McCammon To: questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ascii Message-ID: <531110.80275.qm@web32803.mail.mud.yahoo.com> Cc: Subject: if_bridge and ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 16:19:21 -0000 I can't seem to grasp why this is working differently. FreeBSD 6.2 using ipfw + if_bridge LAN -- em1(if_bridge + ipfw)em0 -- internet so I am at 10.10.16.6 and try to ping say www.yahoo.com in ruleset: 1100 allow icmp from any to 10.10.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14 2100 allow ip from 10.10.16.0/27 to any in via em1 gets dropped by following rule as shown in logs: 4700 deny log ip from any to any Log entry: ipfw: 4700 Deny ICMP:8.0 10.10.16.6 69.147.114.210 out via em0 If I add this rule all works great: 2101 allow icmp from 10.10.16.6 to any icmptypes 8 My confusion is shouldn't the icmp be allowed in rule 2100? Or is it with if_bridge I have to make a rule for both interfaces. The rule "2100 allow ip from 10.10.16.0/27 to any in via em1" allowed the icmp passage, out of em0 through the bridge in 6.2 using bridge(4). This entire ruleset is the same with if_bridge as has been working with bridge(4). I just moved to if_bridge since the bridge(4) is obsolete. Thanks for your help. dave ____________________________________________________________________________________ Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. http://new.toolbar.yahoo.com/toolbar/features/mail/index.php