IPF, IPv6 and a bridge

[Jeroen Ubbink]

On Sat, Jan 31, 2004 at 04:48:46PM +0200, freebsd-question at premsoft.co.za wrote:
> David Malone wrote:
> 
> >On Fri, Jan 30, 2004 at 09:38:08AM +0100, Jeroen Ubbink wrote:
> > 
> >
> >>ipfw doesn't seem to block router advertisements on a
> >>bridge either. Is this just a problem with both those firewall tools or is
> >>it a problem in FreeBSD?
> >>   
> >>
> >
> >Bridged packets are special and are not usually firewalled. I could be
> >mistaken, but I don't think you can get ipf to filter bridged packets
> >in 4.9. You could use ipfw2 to do it though:
> >
> >	sysctl net.link.ether.bridge_ipfw=1
> >	ipfw add deny layer2 mac-type ipv6 recv tun1
> >
> >(You'll need to turn on ipfw2 to do this - see the ipfw man page for
> >details).
> >
> >	David.
> >_______________________________________________
> >freebsd-stable at freebsd.org mailing list
> >http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> >To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> >
> > 
> >
> Actually, I think it is possible
> I have not tested this, but there is also a sysctl knob for ipf:
> net.link.ether.bridge_ipf: 1
> 
> Regards
> Jaco

Yes there is, but it doesn't seem to work as it is supposed to, but i'm not
sure whether this is because of the kernel or because of ipf. I only tested
with ipv6 so far, but just a minute ago i tried it using ipv4:

block in on tap1 from 192.168.1.12 to 192.168.0.2

tap1 is bridged with fxp0. fxp0 has 192.168.0/24 and tap1 has 192.168/16.
192.168.1.12 could still ping 192.168.0.2, so it doesn't seem to work at
all. The sysctl knob is enabled:

net.link.ether.bridge_ipf: 1

The rest of my rules which don't try to firewall anything on the bridge
work fine. So this knob is just sitting there doing nothing cause it's just
not possible. Anybody an idea whether this is ipf or FreeBSD related?

kind regards,
Jeroen Ubbink