Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 09 Jan 2004 16:51:21 +0800
From:      Ganbold <ganbold@micom.mng.net>
To:        msch@snafu.de
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw on a bridge
Message-ID:  <6.0.1.1.2.20040109164801.029ba060@202.179.0.80>
In-Reply-To: <E1AerwP-0005mN-00@smart.eusc.inter.net>
References:  <E1AerwP-0005mN-00@smart.eusc.inter.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

Hi,

My sysctl.conf:

net.link.ether.bridge_cfg=fxp0:0,fxp1:0
net.link.ether.bridge_ipfw=1
net.link.ether.bridge.enable=1
net.inet.ip.fw.one_pass=0
security.bsd.see_other_uids=0
net.link.ether.inet.max_age=1200
kern.ipc.somaxconn=1024
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.fw.dyn_buckets=16384
net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.ip.fw.dyn_udp_lifetime=10
net.inet.ip.fw.dyn_syn_lifetime=5
net.inet.ip.fw.dyn_max=32000
net.inet.ip.fw.debug=0
net.inet.ip.dummynet.max_chain_len=256
net.inet.ip.dummynet.hash_size=1024
net.inet.ip.fw.verbose_limit=1

My kernel config:
...
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPDIVERT
options         TCPDEBUG
options         IPSTEALTH
options         TCP_DROP_SYNFIN
options         DUMMYNET
options         HZ=1000
options         BRIDGE
...

My rc.conf
...
log_in_vain=1
icmp_drop_redirect="YES"
icmp_log_redirect=YES
tcp_drop_synfin="YES"
tcp_restrict_rst="YES"


Ganbold


At 04:24 PM 09.01.2004, you wrote:
>Hi,
>
> > I also have bridge ipfw2 on FreeBSD 5.2-current.
> > And following rule passes arp requests.
> >
> > # pass ARP
> > ${fwcmd} add 3000 allow layer2 mac-type arp
>
>This is exactly what doesn't work here :-(
>
>Would you tell me your related sysctl-values and kernel options?
>
>Mine here are: (/etc/sysctl.conf)
>
>net.link.ether.bridge_cfg=fxp0,fxp1
>net.link.ether.bridge_ipfw=1
>net.link.ether.bridge=1
>
>and:
>
>options         BRIDGE                  #bridge-ability
>options         IPFIREWALL              #firewall
>options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
>options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
>
>Thanks so far - Matthias

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.1.1.2.20040109164801.029ba060>