From owner-freebsd-net@FreeBSD.ORG Wed Apr 11 17:43:19 2007 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A399C16A400 for ; Wed, 11 Apr 2007 17:43:19 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from webmail28.mail.yandex.net (webmail28.mail.yandex.net [213.180.200.117]) by mx1.freebsd.org (Postfix) with ESMTP id 3A09C13C4B0 for ; Wed, 11 Apr 2007 17:43:19 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from YAMAIL (webmail28) by mail.yandex.ru id S5611793AbXDKR12 for ; Wed, 11 Apr 2007 21:27:28 +0400 Received: from [82.211.152.12] ([82.211.152.12]) by mail.yandex.ru with HTTP; Wed, 11 Apr 2007 21:27:27 +0400 From: "Andrey V. Elsukov" To: eugen@grosbein.pp.ru MIME-Version: 1.0 Message-Id: <74021176312447@webmail28.yandex.ru> Date: Wed, 11 Apr 2007 21:27:27 +0400 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain Cc: net@freebsd.org Subject: Re: ipfw tags & filtering incoming broadcasts X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 17:43:19 -0000 > Hi! > I have a router based on FreeBSD 6 running quagga/RIPv2 > and want to filter all incoming packets sent to it (not forwarded throught it) > with a small set of exceptions. This router uses ipfw for packet filtering. You can use "in recv" keywords to determine incoming packets. > There is no problem to filter unicasts. But I want also block all > broadcasts except of incoming RIPv2, some of hardware > routers send broadcasts instead of multicasts here. > I've tried this way: > ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any If you want use tags in the next rules, you should use `count' action instead of `allow'. > ipfw add 40 allow ip from any to any layer2 > ipfw add 50 count log ip from any to any tagged 1 > I hoped that rule 30 would tag all broadcasts with tag 1 during layer2 > filtering pass and it'd keep its tag during layer3 filtering but it seems > it doesn't. If I send a broadcast with ping > I see that rules 30 and 40 match this outgoing broadcast > but rule 50 does not. Am I doing something wrong or > is this behavour by design or is this a bug that deserve a PR? If you want filter a RIPv2 packets, may be it's a good idea to use src-port or dst-port 520 with udp protocol? -- WBR, Andrey V. Elsukov