Date: Wed, 15 Jun 2016 14:25:35 +0100 From: Dr Josef Karthauser <joe@truespeed.com> To: freebsd-net@freebsd.org Subject: Re: IPFW: Packet forwarding with bridges and vlans and Vimage? With an IP address. Message-ID: <33CB1553-0C61-410A-BB94-9C0CBB51E78C@truespeed.com> In-Reply-To: <A30D4419-5796-4109-AB97-0F3B4BDB8D16@truespeed.com> References: <A30D4419-5796-4109-AB97-0F3B4BDB8D16@truespeed.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 15 Jun 2016, at 14:04, Dr Josef Karthauser <joe@truespeed.com> = wrote: >=20 > I don=E2=80=99t have IP forwarding switched on and so I=E2=80=99d = expect bridged packets to carry on being bridged irrespective of whether = vlan9 has an IP address or not. >=20 > What=E2=80=99s strange is that ingress packets to the bridge are being = forwarded ok, but egress packets out onto the vlan are being filtered. >=20 > Is there something obvious that I=E2=80=99ve missed? >=20 > Cheers, > Joe Ok, I=E2=80=99ve narrowed the problem down. It=E2=80=99s related to the = anti spoofing ruleset. I=E2=80=99ve also got this in my ruleset: deny log ip from any to any not antispoof in What=E2=80=99s strange is that when vlan9 has an ip address this rule = starts triggering for interfaces that it didn=E2=80=99t before: Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 = 255.255.255.255:68 in via vnet0:13 Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 = 255.255.255.255:68 in via bridge9 Jun 15 14:19:39 kernel: ipfw: 10000 Deny UDP 192.168.9.3:67 = 255.255.255.255:68 in via vnet0:13 Without the IP address I don=E2=80=99t get any of these logged and no = packets are filtered. Why would anti-spoof filtering filter traffic on interfaces without IP = addresses assigned when vlan9 is given an interface? I might expect that = behaviour on the vlan, but but the other bridged interfaces. Is this a =E2=80=9Cfeature=E2=80=9D? Joe =E2=80=94=20 Dr Josef Karthauser Chief Technical Officer (01225) 300371 / (07703) 596893 www.truespeed.com <http://www.truespeed.com/> / theTRUESPEED <http://www.facebook.com/theTRUESPEED> =20 @theTRUESPEED <https://twitter.com/thetruespeed> =20 This email contains TrueSpeed information, which may be privileged or = confidential. It's meant only for the individual(s) or entity named = above. If you're not the intended recipient, note that disclosing, = copying, distributing or using this information is prohibited. If you've = received this email in error, please let me know immediately on the = email address above. Thank you. We monitor our email system, and may record your emails.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33CB1553-0C61-410A-BB94-9C0CBB51E78C>