Date: Fri, 13 Jun 2008 12:22:45 -0700 From: Chuck Swiger <cswiger@mac.com> To: Alexey Beketov <opt1k2@mail.ru> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw arp protocol filtering Message-ID: <733D64F7-47AA-4BCF-9677-08A20D39150A@mac.com> In-Reply-To: <E1K7DQJ-000Bq2-00.opt1k2-mail-ru@f137.mail.ru> References: <E1K7DQJ-000Bq2-00.opt1k2-mail-ru@f137.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 13, 2008, at 10:50 AM, Alexey Beketov wrote: > I have two networks,10.10.0.0/16 both, and if_bridge between them. > There is two different 10.10.0.1 machines in each network. I need to > filter arp on bridge to make no conflicts between 10.10.0.1 > machines. How to make it, I using freebsd 7.0 and ipfw? Seriously, dude-- don't even try to do this; you will be drawn into networking hell. If you still wish to risk it, consider: sysctl -w net.link.ether.bridge_ipfw=1 sysctl -w net.link.ether.ipfw=1 ipfw add deny mac any 0:1:2:3:4:5 ...add the deny rule twice & change MAC to match those of your two 10.10.0.1 machines. This won't filter ARP traffic, but instead just the ethernet addresses of these two machines from passing through the bridge. If you really want to block ARP, you're better off switching to using a router and NAT forwarding rather than a bridge, but I understand there's a hack like follows: ipfw add deny udp from 0.0.0.0 2054 to 0.0.0.0 -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?733D64F7-47AA-4BCF-9677-08A20D39150A>