Date: Wed, 11 Apr 2007 08:47:21 -0700 From: Julian Elischer <julian@elischer.org> To: Eugene Grosbein <eugen@grosbein.pp.ru> Cc: net@freebsd.org Subject: Re: ipfw tags & filtering incoming broadcasts Message-ID: <461D0309.5080602@elischer.org> In-Reply-To: <20070411144309.GA3456@grosbein.pp.ru> References: <20070411144309.GA3456@grosbein.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein wrote:
> Hi!
>
> I have a router based on FreeBSD 6 running quagga/RIPv2
> and want to filter all incoming packets sent to it (not forwarded throught it)
> with a small set of exceptions. This router uses ipfw for packet filtering.
>
> There is no problem to filter unicasts. But I want also block all
> broadcasts except of incoming RIPv2, some of hardware
> routers send broadcasts instead of multicasts here.
>
> I've tried this way:
>
> ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any
the MAC or layer2 commands are only useful if you are calling the
firewall from the NIC layer..
have you turned on the layer 2 entrypoints?
sysctl net.link.ether.{something} (I forget exactly)
> ipfw add 40 allow ip from any to any layer2
> ipfw add 50 count log ip from any to any tagged 1
>
> I hoped that rule 30 would tag all broadcasts with tag 1 during layer2
> filtering pass and it'd keep its tag during layer3 filtering but it seems
> it doesn't. If I send a broadcast with ping <IP-broadcast>
> I see that rules 30 and 40 match this outgoing broadcast
> but rule 50 does not. Am I doing something wrong or
> is this behavour by design or is this a bug that deserve a PR?
>
> Eugene Grosbein
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?461D0309.5080602>