ipfw and bridging [was: pf and bridging]
Ian Smith
smithi at nimnet.asn.au
Sun Dec 5 05:50:08 PST 2004
On Sat, 4 Dec 2004, Chuck Swiger wrote:
> Ian Smith wrote:
> [ ... ]
> > Read those ones for interest, but it leaves me wondering: can you use
> > stateful filtering in ipfw, then? (here ipfw1 on a 4.8-RELEASE box with
> > BRIDGE in kernel so far, but I imagine this would apply also to ipfw2?)
>
> Yes, you ought to be able to perform stateful packet filtering with either
> ipfw1 or 2.
Thanks for that, Chuck. It did seem to be working, so I'd assumed that
ipfw stateful inspection must only be on inbound packets, for bridged
packets at least.
> > I'm aware that one can only filter incoming packets, so I've always
> > wondered whether stateful rules made any sense in a bridge context?
>
> A firewall filters packets which pass through it (ie, either via routing,
> bridging, or whatever the topology is). Yes, you can do stateful filtering on
> a bridge but you need to pay attention to the fact that you have both layer-2
> and layer-3 traffic involved. You also need to enable a sysctl to have IPFW
> apply its rules to bridged traffic.
Indeed. Now I'm curious; must find some time to look at the code a bit.
Cheers, Ian
More information about the freebsd-net
mailing list