Date: Wed, 11 Apr 2007 22:43:09 +0800 From: Eugene Grosbein <eugen@grosbein.pp.ru> To: net@freebsd.org Subject: ipfw tags & filtering incoming broadcasts Message-ID: <20070411144309.GA3456@grosbein.pp.ru>
next in thread | raw e-mail | index | archive | help
Hi! I have a router based on FreeBSD 6 running quagga/RIPv2 and want to filter all incoming packets sent to it (not forwarded throught it) with a small set of exceptions. This router uses ipfw for packet filtering. There is no problem to filter unicasts. But I want also block all broadcasts except of incoming RIPv2, some of hardware routers send broadcasts instead of multicasts here. I've tried this way: ipfw add 30 allow tag 1 ip from any to any MAC ff:ff:ff:ff:ff:ff any ipfw add 40 allow ip from any to any layer2 ipfw add 50 count log ip from any to any tagged 1 I hoped that rule 30 would tag all broadcasts with tag 1 during layer2 filtering pass and it'd keep its tag during layer3 filtering but it seems it doesn't. If I send a broadcast with ping <IP-broadcast> I see that rules 30 and 40 match this outgoing broadcast but rule 50 does not. Am I doing something wrong or is this behavour by design or is this a bug that deserve a PR? Eugene Grosbein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070411144309.GA3456>