From owner-freebsd-net@FreeBSD.ORG Wed Apr 11 15:47:23 2007 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6F41416A400 for ; Wed, 11 Apr 2007 15:47:23 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outU.internet-mail-service.net (outU.internet-mail-service.net [216.240.47.244]) by mx1.freebsd.org (Postfix) with ESMTP id 6530113C483 for ; Wed, 11 Apr 2007 15:47:23 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Wed, 11 Apr 2007 08:16:34 -0700 Received: from [192.168.2.3] (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 5CF55125B78; Wed, 11 Apr 2007 08:47:22 -0700 (PDT) Message-ID: <461D0309.5080602@elischer.org> Date: Wed, 11 Apr 2007 08:47:21 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.10 (Macintosh/20070221) MIME-Version: 1.0 To: Eugene Grosbein References: <20070411144309.GA3456@grosbein.pp.ru> In-Reply-To: <20070411144309.GA3456@grosbein.pp.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: net@freebsd.org Subject: Re: ipfw tags & filtering incoming broadcasts X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 15:47:23 -0000 Eugene Grosbein wrote: > Hi! > > I have a router based on FreeBSD 6 running quagga/RIPv2 > and want to filter all incoming packets sent to it (not forwarded throught it) > with a small set of exceptions. This router uses ipfw for packet filtering. > > There is no problem to filter unicasts. But I want also block all > broadcasts except of incoming RIPv2, some of hardware > routers send broadcasts instead of multicasts here. > > I've tried this way: > > ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any the MAC or layer2 commands are only useful if you are calling the firewall from the NIC layer.. have you turned on the layer 2 entrypoints? sysctl net.link.ether.{something} (I forget exactly) > ipfw add 40 allow ip from any to any layer2 > ipfw add 50 count log ip from any to any tagged 1 > > I hoped that rule 30 would tag all broadcasts with tag 1 during layer2 > filtering pass and it'd keep its tag during layer3 filtering but it seems > it doesn't. If I send a broadcast with ping > I see that rules 30 and 40 match this outgoing broadcast > but rule 50 does not. Am I doing something wrong or > is this behavour by design or is this a bug that deserve a PR? > > Eugene Grosbein > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"