arp, skipto, deny rules
Don Bowman
don at sandvine.com
Fri Jun 20 21:12:31 PDT 2003
I have a setup where I have H1(ip=1.0.0.1) bridged to H2(ip=1.0.0.2).
When net.link.ether.bridge_ipfw=1, my rules are hit and the counters
go up, so far so good.
I would like to implement an ACL for sets of IP. Since ipfw
doesn't allow 'and' (I would have written deny from where not ip1 and not
ip2 ...), i used a skipto rule.
I find in the below rules, that when rule 25 is present, that
ARP packets are not passed through the bridge. When rule 25 is removed,
arp packets pass ok.
once the arp is known, packets pass just fine.
Any suggestions?
I have:
em0, em1 on one side of the bridge, em4,em5 on the other.
em2 is my ssh etc access, so i have it excluded.
When I set net.link.ether.bridge_ipfw=0, the packets flow,
or if I delete rule 25 the packets flow... Why are
ipfw pipe 1 config bw 50Mbit/s queue 96Kbytes gred 0.002/30000/81920/0.1
ipfw pipe 2 config bw 100kbit/s mask src-ip 0xffffffff queue 8Kbytes gred
0.002/4
500/7500/0.1
ipfw pipe 3 config bw 100kbit/s mask dst-ip 0xffffffff queue 8Kbytes gred
0.002
/4500/7500/0.1
1 allow ip from me to me
10 allow ip from any to any via em2
20 skipto 30 ip from { 10.0.0.0/8 or 192.168.0.0/16 or 1.0.0.0/8 } to any
25 deny ip from any to any
30 allow tcp from any to any setup limit src-addr 5
40 pipe 2 ip from any to any recv em0
40 pipe 2 ip from any to any recv em1
50 pipe 3 ip from any to any recv em4
50 pipe 3 ip from any to any recv em5
60 pipe 1 ip from any to any in
65535 allow ip from any to any
More information about the freebsd-ipfw
mailing list