From owner-freebsd-net@FreeBSD.ORG Wed Apr 11 14:57:14 2007 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B39F816A400 for ; Wed, 11 Apr 2007 14:57:14 +0000 (UTC) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (grgw.svzserv.kemerovo.su [213.184.64.166]) by mx1.freebsd.org (Postfix) with ESMTP id CF81913C459 for ; Wed, 11 Apr 2007 14:57:13 +0000 (UTC) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (localhost [127.0.0.1]) by grosbein.pp.ru (8.13.8/8.13.8) with ESMTP id l3BEhArA003528 for ; Wed, 11 Apr 2007 22:43:10 +0800 (KRAST) (envelope-from eugen@grosbein.pp.ru) Received: (from eugen@localhost) by grosbein.pp.ru (8.13.8/8.13.8/Submit) id l3BEh9TZ003527 for net@freebsd.org; Wed, 11 Apr 2007 22:43:09 +0800 (KRAST) (envelope-from eugen) Date: Wed, 11 Apr 2007 22:43:09 +0800 From: Eugene Grosbein To: net@freebsd.org Message-ID: <20070411144309.GA3456@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Cc: Subject: ipfw tags & filtering incoming broadcasts X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 14:57:14 -0000 Hi! I have a router based on FreeBSD 6 running quagga/RIPv2 and want to filter all incoming packets sent to it (not forwarded throught it) with a small set of exceptions. This router uses ipfw for packet filtering. There is no problem to filter unicasts. But I want also block all broadcasts except of incoming RIPv2, some of hardware routers send broadcasts instead of multicasts here. I've tried this way: ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any ipfw add 40 allow ip from any to any layer2 ipfw add 50 count log ip from any to any tagged 1 I hoped that rule 30 would tag all broadcasts with tag 1 during layer2 filtering pass and it'd keep its tag during layer3 filtering but it seems it doesn't. If I send a broadcast with ping I see that rules 30 and 40 match this outgoing broadcast but rule 50 does not. Am I doing something wrong or is this behavour by design or is this a bug that deserve a PR? Eugene Grosbein