ipfw on a bridge
Ganbold
ganbold at micom.mng.net
Fri Jan 9 00:47:40 PST 2004
Hi,
My sysctl.conf:
net.link.ether.bridge_cfg=fxp0:0,fxp1:0
net.link.ether.bridge_ipfw=1
net.link.ether.bridge.enable=1
net.inet.ip.fw.one_pass=0
security.bsd.see_other_uids=0
net.link.ether.inet.max_age=1200
kern.ipc.somaxconn=1024
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.fw.dyn_buckets=16384
net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.ip.fw.dyn_udp_lifetime=10
net.inet.ip.fw.dyn_syn_lifetime=5
net.inet.ip.fw.dyn_max=32000
net.inet.ip.fw.debug=0
net.inet.ip.dummynet.max_chain_len=256
net.inet.ip.dummynet.hash_size=1024
net.inet.ip.fw.verbose_limit=1
My kernel config:
...
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCPDEBUG
options IPSTEALTH
options TCP_DROP_SYNFIN
options DUMMYNET
options HZ=1000
options BRIDGE
...
My rc.conf
...
log_in_vain=1
icmp_drop_redirect="YES"
icmp_log_redirect=YES
tcp_drop_synfin="YES"
tcp_restrict_rst="YES"
Ganbold
At 04:24 PM 09.01.2004, you wrote:
>Hi,
>
> > I also have bridge ipfw2 on FreeBSD 5.2-current.
> > And following rule passes arp requests.
> >
> > # pass ARP
> > ${fwcmd} add 3000 allow layer2 mac-type arp
>
>This is exactly what doesn't work here :-(
>
>Would you tell me your related sysctl-values and kernel options?
>
>Mine here are: (/etc/sysctl.conf)
>
>net.link.ether.bridge_cfg=fxp0,fxp1
>net.link.ether.bridge_ipfw=1
>net.link.ether.bridge=1
>
>and:
>
>options BRIDGE #bridge-ability
>options IPFIREWALL #firewall
>options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
>options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
>
>Thanks so far - Matthias
More information about the freebsd-ipfw
mailing list