ipfw, "ip|all" proto and PPPoE -- does PPPoE packets passed to ipfw?

Ian Smith smithi at nimnet.asn.au
Thu Aug 30 06:24:06 UTC 2012 

On Wed, 29 Aug 2012 22:31:25 +0400, Lev Serebryakov wrote:
 > Hello, Michael.
 > You wrote 29 ??????? 2012 ?., 19:01:08:
 > 
 > 
 > >>   I have interface (vr1), most of traffic on which is PPPoE. I have ipfw
 > >> firewall, which splits traffic by interfaces via:
 > >>
 > >> add 2000 skipto  5000 all  from any to any via em0
 > >> add 2010 skipto  7000 all  from any to any via wlan0
 > >> add 2020 skipto 11000 all  from any to any via vr1
 > >> add 2030 skipto 13000 all  from any to any via ng0
 > >> add 2040 skipto 15000 ipv6 from any to any via gif0
 > >> add 2999 deny all from any to any
 > >> ...
 > >> And later here are some basic checks, nat, "check-state" and some
 > >> stateful rules.
 > MS> Consider separating traffic not only by interface but also direction
 >   It  is  done  in rules 1000 and 1010, 2xxx is for incoming, 3xxx for
 > outgoing. It is only a sample/

Hi Lev,

Glad you mentioned that, but I hope you're not using 'via' on your 3xxx 
outgoing rules, since it also applies to packets that earlier came in on 
that specified interface, which can be confusing or at least ambiguous.  
I generally only use 'via' on deny rules where packets may not traverse 
an interface either inbound or outbound, eg anti-spoofing rules.

 > MS>         ip from any to any in recv vr0
 > MS> and outgoing
 > MS>         ip from any to any out xmit vr0
 >   Yep, I'll collapse my two-rule chains in one rule.

I guess if the issue persists, we may need to see more of your ruleset.

 > >>   Does PPPoE packets match rule 2020, and other rules like "nat 1 ip
 > >> from any to any"?
 > MS> Yes, and it seems that that is not what you want.  The packets will be
 > MS> seen first by the firewall, then passed to whatever is handling PPPoE
 >   But  there is no rule for it, and default policy is "deny"... But it
 >  works.
 > 
 > MS> on the local box, then re-injected into the IP stack, etc. for
 > MS> processing by firewall rules again.
 > MS> Is there a pppX pseudo-interface?
 >   ng0, as I'm using mpd5, not system ppp.

Hmm, you shouldn't see ANY pppoe traffic on ng0, only on the interface 
mpd5 uses to connect with your DSL modem/bridge.  Nor would you expect 
to see pppoe traffic on any other interface.  Below is mpd4 syntax for 
mpd.links on an older box, not sure if it's still the same for mpd5:

lPPPoE:
        set link type pppoe
        set pppoe iface fxp0
        set pppoe service ""
        set pppoe disable incoming
        set pppoe enable originate

So I only see PPPoE traffic on fxp0 with tcpdump (along with occasional 
TCP 80 when taking to the modem itself); mpd should only talk IP on ng0.  
Take care not to route the (here fxp0) PPPoE traffic to anywhere else.

cheers, Ian

More information about the freebsd-net mailing list