From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 8 17:23:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1A9A16A4CE for ; Thu, 8 Jan 2004 17:23:54 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 269EF43D45 for ; Thu, 8 Jan 2004 17:23:52 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.30; FreeBSD) id 1AelJ7-000PKC-2F; Fri, 09 Jan 2004 09:19:25 +0800 Message-Id: <6.0.1.1.2.20040109092421.02a583d8@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Fri, 09 Jan 2004 09:27:40 +0800 To: msch@snafu.de From: Ganbold In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw on a bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 01:23:54 -0000 Hi, I also have bridge ipfw2 on FreeBSD 5.2-current. And following rule passes arp requests. # pass ARP ${fwcmd} add 3000 allow layer2 mac-type arp Ganbold At 10:38 PM 08.01.2004, you wrote: >Hi, > >I'm working on a filtering bridge with ipfw2 on FreeBSD 5.1-RELEASE-p11. >I made a test-setup consisting of the bridge itself and a test-client >behind that bridge. 'fxp0' is the outer I/F, 'fxp1' the inner. >Neither 'fxp0' nor 'fxp1' have an IP-address. 'bge0' is the on-board I/F of >the bridge-host *with* an IP-addres. > >My first test-ruleset for ipfw on the bridge is: > >root@fw1.xxx.yyy.zzz - ~ >515 # ipfw list >00100 check-state >00200 skipto 3000 ip from any to any layer2 >00300 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state >00400 allow ip from me to any xmit bge0 keep-state >03000 allow ip from any to any layer2 not mac-type 0x0800 >03100 allow tcp from any to any in recv fxp1 setup keep-state >03200 allow udp from any to any in recv fxp1 keep-state >03300 allow ip from any to any in recv fxp1 >03400 deny log ip from any to any >65535 deny ip from any to any > >Rule 3000 should allow for ARP-requests, but doesn't work as expected. >I have several questions on that rule: > >The original syntax is from the ipfw(8)-manpage and reads as follows: > >"allow layer2 not mac-type ip" where 'ip' expands to '0x0800' > >Why does "allow layer2 mac-type 0x0806" *not* work, although '0x0806' >is exactly the MAC-Type for ARP? > >Why can I ping the internal client from outside if >"allow layer2 not mac-type ip" is active, although the ICMP ping-request >comes to the bridge "in recv fxp0"? If I look at the counters, the 'ping' >uses rule #3000, although ICMP *is* mac-type 'ip'. > >Can someone explain that behaviour? I read 'ipfw(8)' several times as well >as the article on 'filtering bridges' on freebsd.org. "TCP/IP Illustrated" >from W.R.Stevens is my best friend :-) but I remain irritated. > >Thank's a lot - Matthias > > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"