Curiosity in IPFW/Freebsd bridge.

Andrew Seguin asegu at borgtech.ca
Thu Dec 16 14:51:51 PST 2004 

Hello, First off, a great thanks to this list who pointed out my hardware
issue (rl series cards). I now have the bridge on two Intel Pro NICS and I
use the on-board sis card for console access, and my average ping time is a
2ms average to the router, passing about a solid 2MB/s.

 

My current situation is that it seems IPFW is filtering by IP address, but
never matching an IP address/Port number combo (ex: “deny ip from IP to any”
works, but “deny ip from IP to any 80” does not work).

 

The firewall rules are as follows:

#1. Allow all SSH traffic until rules are down safe.

ipfw add 1 allow ip from any to LOCAL_IP 22

#ipfw add 100 TEST (either “deny ip from any to any” or “deny ip from any to
any 80”).

ipfw add 500 pipe 1 ip from any to any

ipfw pipe 1 config bw 20480Kbit/s

default> allow ip from any to any

 

The setup is as follows in rc.conf:

Ifconfig_fxp0=”up”

Ifconfig_fxp1=”up”

Ifconfig_sis0=”LOCAL_IP…”

 

And in sysctl.conf:

net.link.ether.bridge.enable=1

net.link.ether.bridge.config=fxp0,fxp1

net.link.ether.bridge.ipfw=1

 

Kernel has been built with IPFW and DUMMYNET. Freebsd 5.3 (RELENG_5,
cvsupdated and recompiled about a week ago).

 

The server was working fine when I had it filtering between two switches
(secondary to primary). I was having web/email/irc traffic bypass the pipe,
and used the pipe to limit the speed of those who use P2P. Now, I have this
situation with the firewall between the main switch and the router.

I really need to get this working for this purpose again fast or else I’ll
have a repeat of an earlier “internal” DoS, so any and all tips, comments,
pointers would be greatly appreciated!

 

I wonder if it is because I haven’t assigned an IP address on the fxp facing
the inside network…? Haven’t had the time to try this yet (11:50pm local
time!) since I don’t remember which fxp card is facing internal/external and
so I will try in the morning.

 

Again, many thanks!

Andrew Seguin

 

 


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004

More information about the freebsd-net mailing list