From owner-freebsd-net@FreeBSD.ORG Wed Apr 11 16:21:04 2007 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 91EEB16A403 for ; Wed, 11 Apr 2007 16:21:04 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id F23B513C484 for ; Wed, 11 Apr 2007 16:21:03 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id l3BGKrLb094701; Thu, 12 Apr 2007 00:20:53 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id l3BGKqOg094699; Thu, 12 Apr 2007 00:20:52 +0800 (KRAST) (envelope-from eugen) Date: Thu, 12 Apr 2007 00:20:52 +0800 From: Eugene Grosbein To: Julian Elischer Message-ID: <20070411162052.GA94437@svzserv.kemerovo.su> References: <20070411144309.GA3456@grosbein.pp.ru> <461D0309.5080602@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <461D0309.5080602@elischer.org> User-Agent: Mutt/1.4.2.1i Cc: net@freebsd.org Subject: Re: ipfw tags & filtering incoming broadcasts X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 16:21:04 -0000 On Wed, Apr 11, 2007 at 08:47:21AM -0700, Julian Elischer wrote: > the MAC or layer2 commands are only useful if you are calling the > firewall from the NIC layer.. > have you turned on the layer 2 entrypoints? > > sysctl net.link.ether.{something} (I forget exactly) It's net.link.ether.ipfw, and yes, I turned this on, or else rule 40 wouldn't match a packet but it does as I noted: > >ipfw add 40 allow ip from any to any layer2 > >ipfw add 50 count log ip from any to any tagged 1 > > > >I hoped that rule 30 would tag all broadcasts with tag 1 during layer2 > >filtering pass and it'd keep its tag during layer3 filtering but it seems > >it doesn't. If I send a broadcast with ping > >I see that rules 30 and 40 match this outgoing broadcast > >but rule 50 does not. Eugene