IPFW2 statefulness over bridge?
Jon Simola
jsimola at gmail.com
Tue May 10 14:36:53 PDT 2005
On 5/9/05, Simon Litchfield <simon at quo.com.au> wrote:
> Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing
> connections over our bridge (running 5.3 generic). A similar
> configuration worked fine using pf on openbsd.
>
> Are we missing something? Here's the guts of our rule script --
ipfw bridges only get one chance at the packet, because the
bdg_forward path does not have anything similar to ether_output. You
can't firewall packets on their way out of your bridge, only on the
way in. So via doesn't make sense, and "in recv" might make some sense
depending on what you're trying to do. See the diagram in ipfw(8) for
details.
> # allow arps (oh yeah, this is important)
> ipfw add allow layer2 mac-type arp
You might want to rewrite your ruleset to split off the layer2 and
layer3 rules, otherwise (depending on your config) each packet will
pass through the entire ruleset twice. Once at layer2, and again at
layer3. Passes at layer2 won't match any rules that don't specify
"layer2" on the rule, and MAC matching doesn't make sense at layer3.
--
Jon Simola
Systems Administrator
ABC Communications
More information about the freebsd-ipfw
mailing list