Date: Wed, 29 Aug 2012 08:01:08 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: lev@freebsd.org Cc: freebsd-net@freebsd.org Subject: Re: ipfw, "ip|all" proto and PPPoE -- does PPPoE packets passed to ipfw? Message-ID: <CAHu1Y70MynCMQTrJUMwTZ0%2BLrM1JiZFt_B77028XHfoiRgzmaA@mail.gmail.com> In-Reply-To: <1865271844.20120829131610@serebryakov.spb.ru> References: <1865271844.20120829131610@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 29, 2012 at 2:16 AM, Lev Serebryakov <lev@freebsd.org> wrote:
> I have interface (vr1), most of traffic on which is PPPoE. I have ipfw
> firewall, which splits traffic by interfaces via:
>
> add 2000 skipto 5000 all from any to any via em0
> add 2010 skipto 7000 all from any to any via wlan0
> add 2020 skipto 11000 all from any to any via vr1
> add 2030 skipto 13000 all from any to any via ng0
> add 2040 skipto 15000 ipv6 from any to any via gif0
> add 2999 deny all from any to any
> ...
> And later here are some basic checks, nat, "check-state" and some
> stateful rules.
Consider separating traffic not only by interface but also direction
'via' can match traffic four different ways (at least), so match
incoming traffic on an interface
ip from any to any in recv vr0
and outgoing
ip from any to any out xmit vr0
> Does PPPoE packets match rule 2020, and other rules like "nat 1 ip
> from any to any"?
Yes, and it seems that that is not what you want. The packets will be
seen first by the firewall, then passed to whatever is handling PPPoE
on the local box, then re-injected into the IP stack, etc. for
processing by firewall rules again.
Is there a pppX pseudo-interface?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y70MynCMQTrJUMwTZ0%2BLrM1JiZFt_B77028XHfoiRgzmaA>