trouble with ipfw on FreeBSD 10
Ian Smith
smithi at nimnet.asn.au
Sat Oct 4 07:51:04 UTC 2014
On Wed, 1 Oct 2014 15:54:57 +1000, Ian Smith wrote:
> On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote:
> > On 09/30/2014 01:29 AM, Ian Smith wrote:
> > > On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote:
> > > > We are having trouble getting ipfw to work over a bridged interface.
> > > >
> > > > for example:
> > > >
> > > > machine 1 -> Bridged interface FreeBSD 10 -> machine 2.
> > > >
> > > > machine 1 - 192.168.20.20
> > > > machine 2 - 192.168.20.25
> > > >
> > > > now I set something like this in /etc/ipfw.rules:
> > > >
> > > > $IPFWcmd add deny all from 192.168.20.20/24 to any
> > > > $IPFWcmd add deny all from any to 192.168.20.20/24
> > > >
> > > > where both machine 1 and machine 2 are on said subnet and already work.
> > >
> > > Please confirm that these two are only connected via two interfaces on
> > > the bridge/ipfw box, with no switch involved? And that these rules,
> > > once working, should deny traffic between ANY hosts in this /24 subnet?
> > >
> > > > when I reload the rules, I am unable to stop a connection between
> > > > machine 1 and machine 2.
> > > >
> > > > I've already made sure that ipfw is running(loaded), and the rules
> > > > appear to take, and even show up with "ipfw show".
> > > >
> > > > # ipfw show
> > > > ...
> > > > 01700 0 0 deny ip from 192.168.20.0/24 to any
> > > > 01800 0 0 deny ip from any to 192.168.20.0/24
> > > > 65535 9227 11389032 allow ip from any to any
> > > >
> > > > However, there is no effect on data travelling over the pipe at all.
> > > >
> > > > This setup was confirmed many times to work with FreeBSD 9.2, but it
> > > > does not work on 10. any help is appreciated.
> > >
> > > What values are set for these sysctls?
> > >
> > > net.link.ether.ipfw: 0
> > > Controls whether layer-2 packets are passed to ipfw. Default is
> > > no.
> > >
> > > net.link.bridge.ipfw: 0
> > > Controls whether bridged packets are passed to ipfw. Default is
> > > no.
> > >
> > > cheers, Ian
> >
> > on 192.168.20.0/24 the network was set up soley as a test network. It is
> > compromised of two load-generating machines on either side(192.168.20.20
> > and 192.168.20.25), and a FreeBSD 10 machine in the middle which has a
> > double headed fibre nic bridged to connect both machines through the
> > FreeBSD 10 machine.
> >
> > # sysctl net.link.bridge.ipfw
> > net.link.bridge.ipfw: 1
> >
> > # sysctl net.link.ether.ipfw
> > net.link.ether.ipfw: 0
> >
> >
> > furthermore, I am unable to find a good guide or refrence material to
> > sysctl options.
>
> Jack, I'm posting this back to the list. I haven't set up a filtering
> bridge since about 2005, and that was with the old bridge(?) on FreeBSD
> 4.8 and 4.10, rather than if_bridge(4). I really can't recall whether
> net.link.ether.ipfw also needed to be set.
>
> Since 'bridged' is a synonym for 'layer2', I'm not clear from ipfw(8)
> either .. nor from if_bridge(4), especially regarding use of the
> net.link.bridge.pfil_* sysctls - but some people here will know ..
They will know, but that doesn't mean that they'll say :)
I dug up the old filtering bridge setup, used from 2003-2009, and things
were rather different with the old bridge(4); here's its sysctl.conf:
net.link.ether.bridge_cfg=rl0,vr0
net.link.ether.bridge=1
net.link.ether.bridge_ipfw=1
Also, in those days, you could only filter bridged packets on the way
in; once passed inbound they never were passed to ipfw again .. I don't
know if that's still the case with if_bridge(4), but I assume not (?)
However looking at ipfw(8) PACKET FLOW, it seems likely that you'd need
to also set net.link.ether.ipfw=1 to pass bridged / layer2 packets to
ipfw. You might see if that helps? You could also add something like
the rules at the end of that section to check inbound/outbound packet
flow at both layer2 and layer3, even if just with 'count' rules.
I don't disagree that documentation of this aspect is, er, thin.
cheers, Ian
More information about the freebsd-ipfw
mailing list