From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 8 06:38:17 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70D5116A4CE for ; Thu, 8 Jan 2004 06:38:17 -0800 (PST) Received: from smart.eusc.inter.net (smart.eusc.inter.net [213.73.101.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id A244C43D41 for ; Thu, 8 Jan 2004 06:38:13 -0800 (PST) (envelope-from msch@snafu.de) Received: from mail.snafu.de ([10.12.0.4] helo=service.snafu.de) by smart.eusc.inter.net with smtp (Exim 3.36 #4) id 1AebIa-0004or-00 for freebsd-ipfw@freebsd.org; Thu, 08 Jan 2004 15:38:12 +0100 To: freebsd-ipfw@freebsd.org From: msch@snafu.de X-Sender: msch@snafu.de Date: Thu, 8 Jan 2004 14:38:12 GMT X-Mailer: Endymion MailMan Standard Edition v3.0.35 Message-Id: Subject: ipfw on a bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 14:38:17 -0000 Hi, I'm working on a filtering bridge with ipfw2 on FreeBSD 5.1-RELEASE-p11. I made a test-setup consisting of the bridge itself and a test-client behind that bridge. 'fxp0' is the outer I/F, 'fxp1' the inner. Neither 'fxp0' nor 'fxp1' have an IP-address. 'bge0' is the on-board I/F of the bridge-host *with* an IP-addres. My first test-ruleset for ipfw on the bridge is: root@fw1.xxx.yyy.zzz - ~ 515 # ipfw list 00100 check-state 00200 skipto 3000 ip from any to any layer2 00300 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state 00400 allow ip from me to any xmit bge0 keep-state 03000 allow ip from any to any layer2 not mac-type 0x0800 03100 allow tcp from any to any in recv fxp1 setup keep-state 03200 allow udp from any to any in recv fxp1 keep-state 03300 allow ip from any to any in recv fxp1 03400 deny log ip from any to any 65535 deny ip from any to any Rule 3000 should allow for ARP-requests, but doesn't work as expected. I have several questions on that rule: The original syntax is from the ipfw(8)-manpage and reads as follows: "allow layer2 not mac-type ip" where 'ip' expands to '0x0800' Why does "allow layer2 mac-type 0x0806" *not* work, although '0x0806' is exactly the MAC-Type for ARP? Why can I ping the internal client from outside if "allow layer2 not mac-type ip" is active, although the ICMP ping-request comes to the bridge "in recv fxp0"? If I look at the counters, the 'ping' uses rule #3000, although ICMP *is* mac-type 'ip'. Can someone explain that behaviour? I read 'ipfw(8)' several times as well as the article on 'filtering bridges' on freebsd.org. "TCP/IP Illustrated" from W.R.Stevens is my best friend :-) but I remain irritated. Thank's a lot - Matthias