Date: Fri, 02 Dec 2005 17:02:54 -0800 From: "Bruce A. Mah" <bmah@freebsd.org> To: David Pierron <david@wombatsweb.com> Cc: freebsd-pf@freebsd.org Subject: Re: FBSD6 if_bridge Message-ID: <4390EEBE.5090206@freebsd.org> In-Reply-To: <4390C868.5010705@wombatsweb.com> References: <43904815.4070805@wombatsweb.com> <43908AB1.7030107@freebsd.org> <43909B86.4050308@wombatsweb.com> <43909F53.4010905@freebsd.org> <4390C868.5010705@wombatsweb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] If memory serves me right, David Pierron wrote: > Ah! I applied those settings to rc.conf and got the following results: > > fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > options=8<VLAN_MTU> > inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp0 prefixlen 64 scopeid 0x1 > ether xx:xx:xx:xx:xx:xx > media: Ethernet autoselect (none) > status: no carrier > fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > options=8<VLAN_MTU> > inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp1 prefixlen 64 scopeid 0x2 > ether xx:xx:xx:xx:xx:xx > media: Ethernet autoselect (none) > status: no carrier OK, this looks better. No guarantees but I'm pretty sure it would never have worked before. Hopefully this will at least get you closer. > I can't wait until the wee hours to test this! They do seem to have > IPV6 addresses ... Can I shut that off? Comment out IPV6 in the > kernel? I don't need IPV6 ... If you really want them gone, then you probably need to comment out IPv6 from your kernel. Those are IPv6 "link local" addresses...they are designed for two nodes on the same subnet to communicate with each other even if there is no other addressing/routing infrastructure (to assign globally-visible addresses, etc.). The closest analog in the IPv4 world is the 169.254.0.0/16 range of addresses used by machines to communicate on a subnet when they can't get (e.g.) DHCP addresses. If there's no way for anybody to get an IPv6 packet to either fxp0 or fxp1, I wouldn't worry about it, but I have to admit I'm not 100% sure what the security implications of the link local addresses are. > I see my: > > pass in on $mgt_if proto tcp from any to $mgt_if port 80 keep state > > expands out to two rules, one for inet and another for inet6 ... > > or change the command to: > > pass in on $mgt_if inet proto tcp from any to $mgt_if port 80 keep state > > I shouldn't have to worry about IPV6 ... I don't think that having the inet and inet6 rules hurt you except (maybe) for performance. My bridge actually does filter IPv6 traffic (it's a tunnel endpoint) so it really does need those. > Anyway, I'll report on the ifconfig_inf(x)="up" and see if that is the ticket ... Looking forward to hearing the good news... Bruce. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDkO7B2MoxcVugUsMRAh65AJ9kiubMCMKQhdOmkG9CP0NGpmUvPgCfURv8 tn76pVo7EYeSG89BFPQw6Lw= =0mlG -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4390EEBE.5090206>