Date: Thu, 12 Apr 2007 00:20:52 +0800 From: Eugene Grosbein <eugen@grosbein.pp.ru> To: Julian Elischer <julian@elischer.org> Cc: net@freebsd.org Subject: Re: ipfw tags & filtering incoming broadcasts Message-ID: <20070411162052.GA94437@svzserv.kemerovo.su> In-Reply-To: <461D0309.5080602@elischer.org> References: <20070411144309.GA3456@grosbein.pp.ru> <461D0309.5080602@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 11, 2007 at 08:47:21AM -0700, Julian Elischer wrote:
> the MAC or layer2 commands are only useful if you are calling the
> firewall from the NIC layer..
> have you turned on the layer 2 entrypoints?
>
> sysctl net.link.ether.{something} (I forget exactly)
It's net.link.ether.ipfw, and yes, I turned this on,
or else rule 40 wouldn't match a packet but it does
as I noted:
> >ipfw add 40 allow ip from any to any layer2
> >ipfw add 50 count log ip from any to any tagged 1
> >
> >I hoped that rule 30 would tag all broadcasts with tag 1 during layer2
> >filtering pass and it'd keep its tag during layer3 filtering but it seems
> >it doesn't. If I send a broadcast with ping <IP-broadcast>
> >I see that rules 30 and 40 match this outgoing broadcast
> >but rule 50 does not.
Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070411162052.GA94437>