if_bridge and ipfw
Dave McCammon
davemac11 at yahoo.com
Tue Jul 3 16:19:21 UTC 2007
I can't seem to grasp why this is working differently.
FreeBSD 6.2 using ipfw + if_bridge
LAN -- em1(if_bridge + ipfw)em0 -- internet
so I am at 10.10.16.6 and try to ping say www.yahoo.com
in ruleset:
1100 allow icmp from any to 10.10.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
2100 allow ip from 10.10.16.0/27 to any in via em1
gets dropped by following rule as shown in logs:
4700 deny log ip from any to any
Log entry: ipfw: 4700 Deny ICMP:8.0 10.10.16.6 69.147.114.210 out via em0
If I add this rule all works great:
2101 allow icmp from 10.10.16.6 to any icmptypes 8
My confusion is shouldn't the icmp be allowed in rule 2100? Or is it with if_bridge I have to make a rule for
both interfaces.
The rule "2100 allow ip from 10.10.16.0/27 to any in via em1" allowed the icmp passage,
out of em0 through the bridge in 6.2 using bridge(4).
This entire ruleset is the same with if_bridge as has been working with bridge(4).
I just moved to if_bridge since the bridge(4) is obsolete.
Thanks for your help.
dave
____________________________________________________________________________________
Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php
More information about the freebsd-questions
mailing list