Date: Mon, 12 Feb 2001 17:06:19 -0500 From: James Snow <snow@teardrop.org> To: freebsd-questions@FreeBSD.ORG Subject: Re: ARP, bridging, and ipfw Message-ID: <20010212170619.A38568@teardrop.org> In-Reply-To: <20010212161340.A38417@teardrop.org>; from snow@teardrop.org on Mon, Feb 12, 2001 at 04:13:50PM -0500 References: <20010212161340.A38417@teardrop.org>
next in thread | previous in thread | raw e-mail | index | archive | help
After poking around in the FreeBSD mailing list archives for long enough, I found the answer to my own question. Quoting from: http://www.freebsd.org/cgi/getmsg.cgi?fetch=45862+48717+/usr/local/www/db/text/2001/freebsd-stable/20010211.freebsd-stable Robert N. M. Watson wrote: > There used to be a kludge that mapped the ether_header. ether_type > field of non-IP packets into the UDP port number for the purposes of > certain IPFW rules when bridging. This was pretty awful. :-) That > kludge was removed, and the BRIDGE code now simply forwards all non- > IP packets, including ARP, and does not pass them through IPFW when > IPFW is enabled, making them follow the equivilent of a default pass > rule. This is a kludge that I am glad to see go: I can certainly > imagine the desire to support non-IP filtering in a bridge, but IPFW > was not the right vehicle for that. I'm inclined to agree. No reason for *IP* firewall to do non-IP filtering. :) But, continuing my theme of playing the inquisitive idiot, are there tools that will do filtering of non-IP traffic in a bridging FreeBSD box? -James On Mon, Feb 12, 2001 at 04:13:50PM -0500, James Snow wrote: > > I'm experimenting with using a FreeBSD box as a transparent firewall. > Looking at /etc/rc.firewall, I see: > > # If you're using 'options BRIDGE', uncomment the following line to pass ARP > #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 > > I found it curious that I'd had no problems with ARP before adding that > line to the rules I'm using, and that even after adding it as the first > rule in the list, it never matches, even after I flush my local ARP > cache and force some ARP requests. > > Are these lines in /etc/rc.firewall deprecated? Do ARP packets get > excetped from the ipfw rules now or something? > > Also, what on earth does ARP have to do with UDP sourced from port 2054? > > > Just curious, > -James > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010212170619.A38568>