5.4 -- bridging, ipfw, dot1q
Glenn Dawson
glenn at antimatter.net
Fri Aug 12 05:01:06 GMT 2005
At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote:
>Okay, here's the situation. PLEASE let me know if there's a better place
>to ask. (isp@, kernel@, something)
>
>I'm setting up a bridging firewall where the packets are passing through
>on dot1q trunks.
>
>The bridge works. Packet counts work (so I assume the bridge at least
>sees the packets).
>
>Problem is, any "reasonable" rules (such as those which actually say to
>block traffic by ip or port or anything) aren't working at all. Not even
>logging counts.
>
>Setting the "bridged" flag doesn't seem to help.
Which "bridged" flag would that be?
>My only guess is that ipfw doesn't have the brains to look beyond the VLAN
>tags. Is this the case? Is this supported under 4.x, or is there any way
>AT ALL that I can get this to work?
What version are you using? You mention 4.x here, but your subject line
suggests 5.4.
>As a note, snort and trafshow and everything else work fine analyzing the
>bridge traffic, it seems only the kernel has an issue.
Do you have the net.link.ether.bridge_ipfw sysctl set to 1?
-Glenn
>--
>
>"Of course she's gonna be upset! You're dealing with a woman here Dan,
>what the hell's wrong with you?"
>
>-S. Kennedy, 11/11/01
>
>--------Dan Mahoney--------
>Techie, Sysadmin, WebGeek
>Gushi on efnet/undernet IRC
>ICQ: 13735144 AIM: LarpGM
>Site: http://www.gushi.org
>---------------------------
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list