ipfw on a bridge
msch at snafu.de
msch at snafu.de
Thu Jan 8 06:38:17 PST 2004
Hi,
I'm working on a filtering bridge with ipfw2 on FreeBSD 5.1-RELEASE-p11.
I made a test-setup consisting of the bridge itself and a test-client
behind that bridge. 'fxp0' is the outer I/F, 'fxp1' the inner.
Neither 'fxp0' nor 'fxp1' have an IP-address. 'bge0' is the on-board I/F of
the bridge-host *with* an IP-addres.
My first test-ruleset for ipfw on the bridge is:
root at fw1.xxx.yyy.zzz - ~
515 # ipfw list
00100 check-state
00200 skipto 3000 ip from any to any layer2
00300 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state
00400 allow ip from me to any xmit bge0 keep-state
03000 allow ip from any to any layer2 not mac-type 0x0800
03100 allow tcp from any to any in recv fxp1 setup keep-state
03200 allow udp from any to any in recv fxp1 keep-state
03300 allow ip from any to any in recv fxp1
03400 deny log ip from any to any
65535 deny ip from any to any
Rule 3000 should allow for ARP-requests, but doesn't work as expected.
I have several questions on that rule:
The original syntax is from the ipfw(8)-manpage and reads as follows:
"allow layer2 not mac-type ip" where 'ip' expands to '0x0800'
Why does "allow layer2 mac-type 0x0806" *not* work, although '0x0806'
is exactly the MAC-Type for ARP?
Why can I ping the internal client from outside if
"allow layer2 not mac-type ip" is active, although the ICMP ping-request
comes to the bridge "in recv fxp0"? If I look at the counters, the 'ping'
uses rule #3000, although ICMP *is* mac-type 'ip'.
Can someone explain that behaviour? I read 'ipfw(8)' several times as well
as the article on 'filtering bridges' on freebsd.org. "TCP/IP Illustrated"
from W.R.Stevens is my best friend :-) but I remain irritated.
Thank's a lot - Matthias
More information about the freebsd-ipfw
mailing list