Date: Mon, 23 Nov 1998 13:38:25 -0500 From: Dave Alden <alden@math.ohio-state.edu> To: Luigi Rizzo <luigi@labinfo.iet.unipi.it> Cc: freebsd-net@FreeBSD.ORG Subject: Re: bridging hints? Message-ID: <19981123133825.A5023@zaphod.mps.ohio-state.edu> In-Reply-To: <199811210400.FAA28620@labinfo.iet.unipi.it>; from Luigi Rizzo on Sat, Nov 21, 1998 at 05:00:58AM %2B0100 References: <199811202109.QAA06927@math.mps.ohio-state.edu> <199811210400.FAA28620@labinfo.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
On Sat, Nov 21, 1998 at 05:00:58AM +0100, Luigi Rizzo wrote:
> i am not sure what you mean by "client" firewall -- i suppose that you
> are setting the firewall on the machine acting as a bridge.
That's what I'm trying to do. :-) What I meant by "client" was that I
set "firewall_type" to "client" in rc.conf.
> i have never tried this... have you tried, by chance, to block
> single ports as opposed to a range and see if it makes a difference ?
> If it does it could be a bug in ipfw.c, otherwhise it is in the way the
> bridge code uses ipfw
It doesn't make a difference. I've gotten a little bit further. Here's my
setup:
Hub_1
| |
A Hub_2
| | |
B C D
|
E
A is a an Ultra 10 (Solaris 2.6). B is a Dell Inspiron 3200 (RedHat 5.1).
C is a Mac G3/266 (MacOS 8.1). D is the FreeBSD bridge box. E is an Ultra
60 (Solaris 2.6). They're all on the same class C subnet. Hub_1 is a 48
port HP hub, Hub_2 is a 12 port Asante hub. I've got the following rules
on D:
% ipfw l
00100 deny log tcp from any to E 23
00200 allow log tcp from any to any
65535 allow ip from any to any
If I telnet from B to E, I get the following syslog'ed on D:
Nov 23 13:04:54 D /kernel: ipfw: 100 Deny TCP B:1114 E:23 out via fxp1
Which is what I'd expect. If I telnet from C (or A) to E, I get the
following syslog'ed on D:
ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
Nov 23 13:06:23 D /kernel: ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
I ran snoop (Solaris packet sniffer) and as far as I can tell, the packets
coming from C (and A) are not fragmented. Have I misconfigured something?
Any ideas? Help? :-)
...thnx,
...dave
ps I'm running 2.2.7-stable -- should I be running 2.2-current?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981123133825.A5023>