Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Aug 2012 22:31:25 +0400
From:      Lev Serebryakov <lev@FreeBSD.org>
To:        Michael Sierchio <kudzu@tenebras.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw, "ip|all" proto and PPPoE -- does PPPoE packets passed to ipfw?
Message-ID:  <1807373989.20120829223125@serebryakov.spb.ru>
In-Reply-To: <CAHu1Y70MynCMQTrJUMwTZ0%2BLrM1JiZFt_B77028XHfoiRgzmaA@mail.gmail.com>
References:  <1865271844.20120829131610@serebryakov.spb.ru> <CAHu1Y70MynCMQTrJUMwTZ0%2BLrM1JiZFt_B77028XHfoiRgzmaA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello, Michael.
You wrote 29 =E0=E2=E3=F3=F1=F2=E0 2012 =E3., 19:01:08:


>>   I have interface (vr1), most of traffic on which is PPPoE. I have ipfw
>> firewall, which splits traffic by interfaces via:
>>
>> add 2000 skipto  5000 all  from any to any via em0
>> add 2010 skipto  7000 all  from any to any via wlan0
>> add 2020 skipto 11000 all  from any to any via vr1
>> add 2030 skipto 13000 all  from any to any via ng0
>> add 2040 skipto 15000 ipv6 from any to any via gif0
>> add 2999 deny all from any to any
>> ...
>> And later here are some basic checks, nat, "check-state" and some
>> stateful rules.
MS> Consider separating traffic not only by interface but also direction
  It  is  done  in rules 1000 and 1010, 2xxx is for incoming, 3xxx for
outgoing. It is only a sample/

MS>         ip from any to any in recv vr0
MS> and outgoing
MS>         ip from any to any out xmit vr0
  Yep, I'll collapse my two-rule chains in one rule.

>>   Does PPPoE packets match rule 2020, and other rules like "nat 1 ip
>> from any to any"?
MS> Yes, and it seems that that is not what you want.  The packets will be
MS> seen first by the firewall, then passed to whatever is handling PPPoE
  But  there is no rule for it, and default policy is "deny"... But it
 works.

MS> on the local box, then re-injected into the IP stack, etc. for
MS> processing by firewall rules again.
MS> Is there a pppX pseudo-interface?
  ng0, as I'm using mpd5, not system ppp.


--=20
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1807373989.20120829223125>