From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 9 00:47:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1B1916A4CE for ; Fri, 9 Jan 2004 00:47:40 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 329EE43D2D for ; Fri, 9 Jan 2004 00:47:37 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.30; FreeBSD) id 1AesEY-000JXL-2m; Fri, 09 Jan 2004 16:43:10 +0800 Message-Id: <6.0.1.1.2.20040109164801.029ba060@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Fri, 09 Jan 2004 16:51:21 +0800 To: msch@snafu.de From: Ganbold In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw on a bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 08:47:40 -0000 Hi, My sysctl.conf: net.link.ether.bridge_cfg=fxp0:0,fxp1:0 net.link.ether.bridge_ipfw=1 net.link.ether.bridge.enable=1 net.inet.ip.fw.one_pass=0 security.bsd.see_other_uids=0 net.link.ether.inet.max_age=1200 kern.ipc.somaxconn=1024 net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=32768 net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.maskrepl=0 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.fw.dyn_buckets=16384 net.inet.ip.fw.dyn_ack_lifetime=300 net.inet.ip.fw.dyn_udp_lifetime=10 net.inet.ip.fw.dyn_syn_lifetime=5 net.inet.ip.fw.dyn_max=32000 net.inet.ip.fw.debug=0 net.inet.ip.dummynet.max_chain_len=256 net.inet.ip.dummynet.hash_size=1024 net.inet.ip.fw.verbose_limit=1 My kernel config: ... options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options TCPDEBUG options IPSTEALTH options TCP_DROP_SYNFIN options DUMMYNET options HZ=1000 options BRIDGE ... My rc.conf ... log_in_vain=1 icmp_drop_redirect="YES" icmp_log_redirect=YES tcp_drop_synfin="YES" tcp_restrict_rst="YES" Ganbold At 04:24 PM 09.01.2004, you wrote: >Hi, > > > I also have bridge ipfw2 on FreeBSD 5.2-current. > > And following rule passes arp requests. > > > > # pass ARP > > ${fwcmd} add 3000 allow layer2 mac-type arp > >This is exactly what doesn't work here :-( > >Would you tell me your related sysctl-values and kernel options? > >Mine here are: (/etc/sysctl.conf) > >net.link.ether.bridge_cfg=fxp0,fxp1 >net.link.ether.bridge_ipfw=1 >net.link.ether.bridge=1 > >and: > >options BRIDGE #bridge-ability >options IPFIREWALL #firewall >options IPFIREWALL_VERBOSE #enable logging to syslogd(8) >options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > >Thanks so far - Matthias