From owner-freebsd-net  Mon Nov 23 11:23:42 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA04560
          for freebsd-net-outgoing; Mon, 23 Nov 1998 11:23:42 -0800 (PST)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from mathserv.mps.ohio-state.edu (mathserv.mps.ohio-state.edu [128.146.111.31])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA04552
          for <freebsd-net@freebsd.org>; Mon, 23 Nov 1998 11:23:40 -0800 (PST)
          (envelope-from alden@math.ohio-state.edu)
Received: from zaphod.mps.ohio-state.edu (zaphod.mps.ohio-state.edu [128.146.111.36])
	by mathserv.mps.ohio-state.edu (8.9.1a/8.9.1) with ESMTP id NAA09090;
	Mon, 23 Nov 1998 13:38:26 -0500 (EST)
Received: (from alden@localhost)
	by zaphod.mps.ohio-state.edu (8.9.1a/8.9.1) id NAA06828;
	Mon, 23 Nov 1998 13:38:25 -0500 (EST)
Message-ID: <19981123133825.A5023@zaphod.mps.ohio-state.edu>
Date: Mon, 23 Nov 1998 13:38:25 -0500
From: Dave Alden <alden@math.ohio-state.edu>
To: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: bridging hints?
References: <199811202109.QAA06927@math.mps.ohio-state.edu> <199811210400.FAA28620@labinfo.iet.unipi.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199811210400.FAA28620@labinfo.iet.unipi.it>; from Luigi Rizzo on Sat, Nov 21, 1998 at 05:00:58AM +0100
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

On Sat, Nov 21, 1998 at 05:00:58AM +0100, Luigi Rizzo wrote:
> i am not sure what you mean by "client" firewall -- i suppose that you
> are setting the firewall on the machine acting as a bridge.

That's what I'm trying to do.  :-)  What I meant by "client" was that I
set "firewall_type" to "client" in rc.conf.


> i have never tried this... have you tried, by chance, to block
> single ports as opposed to a range and see if it makes a difference ?
> If it does it could be a bug in ipfw.c, otherwhise it is in the way the
> bridge code uses ipfw

It doesn't make a difference.  I've gotten a little bit further.  Here's my
setup:

    Hub_1
    |   |
    A  Hub_2
       | | |
       B C D
           |
           E

A is a an Ultra 10 (Solaris 2.6).  B is a Dell Inspiron 3200 (RedHat 5.1).
C is a Mac G3/266 (MacOS 8.1).  D is the FreeBSD bridge box. E is an Ultra
60 (Solaris 2.6).  They're all on the same class C subnet.  Hub_1 is a 48
port HP hub, Hub_2 is a 12 port Asante hub.  I've got the following rules
on D:

% ipfw l
00100 deny log tcp from any to E 23
00200 allow log tcp from any to any
65535 allow ip from any to any

If I telnet from B to E, I get the following syslog'ed on D:

Nov 23 13:04:54 D /kernel: ipfw: 100 Deny TCP B:1114 E:23 out via fxp1

Which is what I'd expect.  If I telnet from C (or A) to E, I get the
following syslog'ed on D:

ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64
Nov 23 13:06:23 D /kernel: ipfw: 200 Accept TCP C E out via fxp1 Fragment = 64

I ran snoop (Solaris packet sniffer) and as far as I can tell, the packets
coming from C (and A) are not fragmented.  Have I misconfigured something?
Any ideas?  Help?  :-)

...thnx,
...dave

ps  I'm running 2.2.7-stable -- should I be running 2.2-current?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message