ipfw2 and bridging on 5.2-RELEASE
Matthias Schuendehuette
msch at snafu.de
Thu Jan 15 04:07:30 PST 2004
Hello,
I have serious problems with ipfw2 and bridging on my FreeBSD 5.2-RELEASE
machine. Fist of all: Is this the right list? Or should I go to 'net' or
'questions'?
Anyway, here's the situation:
My bridging machine has three interfaces, 'bge0' with an IP-Adress for
ssh-access and 'fxp0'(outbound) and 'fxp1'(inbound) for bridging. All the
network traffic is in a VLAN with VLAN-ID 112, just to mention, with 'vlan0'
and 'vlan1' as the corresponding vlan-interfaces for 'fxp0' resp. 'fxp1'.
My bridge configuration is:
net.link.ether.bridge.config: fxp0:0,fxp1:0,vlan0:1,vlan1:1
and works with an 'open' firewall without problems.
My ruleset for testing purposes is fairly straightforward:
# setup 'lo0'
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 check-state
00500 skipto 3000 ip from any to any layer2
# setup for ssh-access via 'bge0'
00600 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state
00700 allow ip from me to any xmit bge0 keep-state
# rules for the bridge
03000 allow ip from any to any layer2 mac-type 0x0806 # ARP
03100 allow tcp from any to any recv fxp1 setup keep-state
03200 allow udp from any to any recv fxp1 keep-state
03300 allow icmp from any to any recv fxp1
03400 allow ip from any to any recv fxp1
03500 deny log ip from any to any
65535 deny ip from any to any
As usual, my first test is pinging from inside to an outside machine.
Done that, I see, that the ping-requests come through the filtering bridge and
the ping replies were blocked - so far, so good.
But the ICMP-Packets use rule #3400 and not #3300, why?
If I change rule #3300 to "allow icmp from any to any" it still doesn't work,
only "allow ip from any to any" leeds to a working ping (of course).
BTW, the same is true for TCP and/or UDP traffic - obviously the IP protocol
type is not recognized.
Is this a bug or a feature - or a limitation because of the bridging?
Or is my understanding wrong in any way?
I hope, someone can explain this behaviour a bit to me...
TIA - Matthias
--
Matthias Schuendehuette, Berlin, Germany
More information about the freebsd-ipfw
mailing list