From owner-freebsd-stable Fri Feb 2 9: 2:41 2001 Delivered-To: freebsd-stable@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 6BA8937B4EC for ; Fri, 2 Feb 2001 09:02:08 -0800 (PST) Received: from HP2500B (veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id E9BED8C2C for ; Fri, 2 Feb 2001 11:01:42 -0600 (CST) Message-ID: <006801c08d39$6974f9e0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: Subject: Bridge and IPFW woes ... Date: Fri, 2 Feb 2001 10:58:48 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have stumbled onto a problem with the bridging code (options BRIDGE) with IPFIREWALL. Please review my beautiful ASCII art below. Internet | ---------- | Host A | ---------- | | 24.2.0.1 / \ / \ / \ / \ 24.2.0.1 | | 24.2.0.2 | | ---------- ---------- | Host B | | Host C | ---------- ---------- In this case, Host A has two NICS. The external interface is not assigned an IP address but th internal interface is assigned 24.2.0.1 (example IP only). Host A is running the in kernel bridging code so that Host B and Host C can have public IP addresses instead of using NAT. Host A also is a firewall that protects itself and Host B and C. The problem rears its ugly head when I start with both Host B and Host C down. If I start Host B first. All is well, it can communicate with the Internet and with Host A. If I then start Host C, all becomes "unwell". Both Host B and C can still communicate with the Internet, but they can not communicate with Host A. Most often the rest of the net can not communicate with Host A either. isc-dhcpd is running on Host A and it assigns IP addresses to Hosts B and C. Thus, I need the public IP address for Host A assigned to the internal NIC (?). Why would Host A suddenly drop of the face of the earth when Host C comes up and yet bridging still functions normally for access to the Internet??? Adding 'ipfw add 1 pass all from any to any' to Host A has not opened up access to Host A. So something more sinister is at work here. If I change the bridging code over to NETGRAPH - this scenario does not happen. All communication works just fine between all the hosts and the Internet, however, all firewall rules that would apply to Host B and C seem to quit working. In other words - all the hosts, except for Host A, are left completely unprotected. I have tried using IPFILTER with both the in kernel bridging code and NETGRAPH and have come to the same conclusion. There is no way to filter the bridged packets. So, I have a dilemna. How do I get bridging to work and yet firewall the bridged packets - and still keep Host A on the Internet? I am aware that bridging was not originally intended to bridge across interfaces that themselves have IP addresses - yet this seems to be a common thing. The new bridging code in Linux was designed to do just that - but I would prefer not to have to play with that on my production machine. The closest I have come to a solution currently is to use ipfilter with ipnat and bimap to simulate the same thing. But it isn't the same thing. I really do need public access to these IP addresses and I need them firewalled in route to the Internet. Would Proxy ARP subnetting accomplish the same thing? Can I do this on FreeBSD with any ease? Can anybody help me with this? Thanks for reading this far :) Thanks in advance for any assistance, Tom Veldhouse veldy@veldy.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message