From owner-freebsd-net@FreeBSD.ORG Thu Apr 12 01:01:29 2007 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3B66A16A400 for ; Thu, 12 Apr 2007 01:01:29 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id 93C1D13C44C for ; Thu, 12 Apr 2007 01:01:27 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id l3C11Njq041986; Thu, 12 Apr 2007 09:01:23 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id l3C11MVL041984; Thu, 12 Apr 2007 09:01:22 +0800 (KRAST) (envelope-from eugen) Date: Thu, 12 Apr 2007 09:01:22 +0800 From: Eugene Grosbein To: "Andrey V. Elsukov" Message-ID: <20070412010122.GA41509@svzserv.kemerovo.su> References: <74021176312447@webmail28.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <74021176312447@webmail28.yandex.ru> User-Agent: Mutt/1.4.2.1i Cc: net@freebsd.org Subject: Re: ipfw tags & filtering incoming broadcasts X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2007 01:01:29 -0000 On Wed, Apr 11, 2007 at 09:27:27PM +0400, Andrey V. Elsukov wrote: > > I have a router based on FreeBSD 6 running quagga/RIPv2 > > and want to filter all incoming packets sent to it (not forwarded throught it) > > with a small set of exceptions. This router uses ipfw for packet filtering. > > You can use "in recv" keywords to determine incoming packets. I know, thanks. Now I'm just trying to make it work somehow but without a success still. > > There is no problem to filter unicasts. But I want also block all > > broadcasts except of incoming RIPv2, some of hardware > > routers send broadcasts instead of multicasts here. > > I've tried this way: > > ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any > > If you want use tags in the next rules, you should use `count' action > instead of `allow'. I've just tried, replaced "allow" with "count" in the rule 30 but nothing changed. And I think there should be no difference for this set of 3 rules, because a packet needs to be _allowed_ during layer2 pass to reach layer3 pass where tags are used. So it should not matter whether the rule 30 pass such packets or rule 40. > > ipfw add 40 allow ip from any to any layer2 > > ipfw add 50 count log ip from any to any tagged 1 > > I hoped that rule 30 would tag all broadcasts with tag 1 during layer2 > > filtering pass and it'd keep its tag during layer3 filtering but it seems > > it doesn't. If I send a broadcast with ping > > I see that rules 30 and 40 match this outgoing broadcast > > but rule 50 does not. Am I doing something wrong or > > is this behavour by design or is this a bug that deserve a PR? > > If you want filter a RIPv2 packets, may be it's a good idea > to use src-port or dst-port 520 with udp protocol? I want also to learn how to distinguish unicast UDP from broadcast UDP. Eugene