5.4 -- bridging, ipfw, dot1q

Dan Mahoney, System Admin danm at prime.gushi.org
Fri Aug 12 05:16:30 GMT 2005 

On Thu, 11 Aug 2005, Glenn Dawson wrote:

> At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote:
>> Okay, here's the situation.  PLEASE let me know if there's a better place 
>> to ask.  (isp@, kernel@, something)
>> 
>> I'm setting up a bridging firewall where the packets are passing through on 
>> dot1q trunks.
>> 
>> The bridge works.  Packet counts work (so I assume the bridge at least sees 
>> the packets).
>> 
>> Problem is, any "reasonable" rules (such as those which actually say to 
>> block traffic by ip or port or anything) aren't working at all.  Not even 
>> logging counts.
>> 
>> Setting the "bridged" flag doesn't seem to help.
>
> Which "bridged" flag would that be?

In the ipfw rule in question (which the ipfw command turns into layer2)

i.e.

fw# ipfw add 310 count ip from any to 56.199.242.178 bridged
00310 count ip from any to 56.199.242.178 layer2

fw# ipfw show
00200          0            0 deny udp from any to any dst-port 1433
00300        971        47200 deny tcp from any to any dst-port 1433
00310          0            0 count ip from any to 56.199.242.178 layer2
00330  144629234  70747652177 count ip from any to any layer2
00340          0            0 count ip from any to 56.199.242.82 layer2
00350    1146497    505249814 count ip from any to 55.125.224.0/19 via em1
00360  154009046  73153382415 allow log logamount 100 ip from any to any
65535 1078777549 484619628567 allow ip from any to any

(such a rule would report zero traffic, even when trafshow, snort, tcpdump 
all show there's a ton).

>> My only guess is that ipfw doesn't have the brains to look beyond the VLAN 
>> tags.  Is this the case?  Is this supported under 4.x, or is there any way 
>> AT ALL that I can get this to work?
>
> What version are you using?  You mention 4.x here, but your subject line 
> suggests 5.4.

Yes, I'm running 5.4, but asking if it may have been supported earlier on 
in the OS (with ipfw1 -- since I know it lacks the ability to even really 
do many mac-like things).

>> As a note, snort and trafshow and everything else work fine analyzing the 
>> bridge traffic, it seems only the kernel has an issue.
>
> Do you have the net.link.ether.bridge_ipfw sysctl set to 1?

fw# sysctl -a|grep net|grep ipfw
net.link.ether.bridge.ipfw: 1
net.link.ether.bridge.ipfw_drop: 0
net.link.ether.bridge.ipfw_collisions: 1021
net.link.ether.bridge_ipfw: 1
net.link.ether.ipfw: 0

Need anything else?

-Dan

--

"The first annual 5th of July party...have you been invited?"
"It's a Jack Party."
"Okay, so Long Island's been invited."

--Cali and Gushi, 6/23/02


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

More information about the freebsd-questions mailing list