if_bridge and ipfw

Dave McCammon davemac11 at yahoo.com
Tue Jul 3 16:19:21 UTC 2007


I can't seem to grasp why this is working differently.
FreeBSD 6.2 using ipfw + if_bridge

LAN -- em1(if_bridge + ipfw)em0 -- internet

so I am at 10.10.16.6 and try to ping say www.yahoo.com

in ruleset:
1100 allow icmp from any to 10.10.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
2100 allow ip from 10.10.16.0/27 to any in via em1

gets dropped by following rule as shown in logs:

4700 deny log ip from any to any

Log entry: ipfw: 4700 Deny ICMP:8.0 10.10.16.6 69.147.114.210 out via em0

If I add this rule all works great:

2101 allow icmp from 10.10.16.6 to any icmptypes 8

My confusion is shouldn't the icmp be allowed in rule 2100? Or is it with if_bridge I have to make a rule for
both interfaces.


The rule "2100 allow ip from 10.10.16.0/27 to any in via em1" allowed the icmp passage,
out of em0 through the bridge in 6.2 using bridge(4).

This entire ruleset is the same with if_bridge as has been working with bridge(4).
I just moved to if_bridge since the bridge(4) is obsolete.

Thanks for your help.
dave






       
____________________________________________________________________________________
Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php


More information about the freebsd-questions mailing list