From owner-freebsd-net@freebsd.org Wed Jun 15 13:25:44 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D87DA317AB for ; Wed, 15 Jun 2016 13:25:44 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from mail.karthauser.co.uk (babel.karthauser.co.uk [212.13.197.151]) by mx1.freebsd.org (Postfix) with ESMTP id 3619B1225 for ; Wed, 15 Jun 2016 13:25:43 +0000 (UTC) (envelope-from joe@truespeed.com) Received: from dspam (babel.karthauser.co.uk [212.13.197.151]) by mail.karthauser.co.uk (Postfix) with SMTP id 011ADCEE for ; Wed, 15 Jun 2016 13:25:42 +0000 (UTC) Received: from phoenix.domain_not_set.invalid (unknown [31.210.26.211]) (Authenticated sender: joemail@tao.org.uk) by mail.karthauser.co.uk (Postfix) with ESMTPSA id 13DE2CEC; Wed, 15 Jun 2016 13:25:36 +0000 (UTC) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: IPFW: Packet forwarding with bridges and vlans and Vimage? With an IP address. From: Dr Josef Karthauser In-Reply-To: Date: Wed, 15 Jun 2016 14:25:35 +0100 Message-Id: <33CB1553-0C61-410A-BB94-9C0CBB51E78C@truespeed.com> References: To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.2104) X-DSPAM-Result: Innocent X-DSPAM-Processed: Wed Jun 15 13:25:42 2016 X-DSPAM-Confidence: 0.9899 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 5761575628811371313876 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2016 13:25:44 -0000 > On 15 Jun 2016, at 14:04, Dr Josef Karthauser = wrote: >=20 > I don=E2=80=99t have IP forwarding switched on and so I=E2=80=99d = expect bridged packets to carry on being bridged irrespective of whether = vlan9 has an IP address or not. >=20 > What=E2=80=99s strange is that ingress packets to the bridge are being = forwarded ok, but egress packets out onto the vlan are being filtered. >=20 > Is there something obvious that I=E2=80=99ve missed? >=20 > Cheers, > Joe Ok, I=E2=80=99ve narrowed the problem down. It=E2=80=99s related to the = anti spoofing ruleset. I=E2=80=99ve also got this in my ruleset: deny log ip from any to any not antispoof in What=E2=80=99s strange is that when vlan9 has an ip address this rule = starts triggering for interfaces that it didn=E2=80=99t before: Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 = 255.255.255.255:68 in via vnet0:13 Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 = 255.255.255.255:68 in via bridge9 Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 = 255.255.255.255:68 in via vnet0:13 Without the IP address I don=E2=80=99t get any of these logged and no = packets are filtered. Why would anti-spoof filtering filter traffic on interfaces without IP = addresses assigned when vlan9 is given an interface? I might expect that = behaviour on the vlan, but but the other bridged interfaces. Is this a =E2=80=9Cfeature=E2=80=9D? Joe =E2=80=94=20 Dr Josef Karthauser Chief Technical Officer (01225) 300371 / (07703) 596893 www.truespeed.com / theTRUESPEED =20 @theTRUESPEED =20 This email contains TrueSpeed information, which may be privileged or = confidential. It's meant only for the individual(s) or entity named = above. If you're not the intended recipient, note that disclosing, = copying, distributing or using this information is prohibited. If you've = received this email in error, please let me know immediately on the = email address above. Thank you. We monitor our email system, and may record your emails.