trouble with ipfw on FreeBSD 10
Ian Smith
smithi at nimnet.asn.au
Tue Sep 30 05:29:22 UTC 2014
On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote:
> We are having trouble getting ipfw to work over a bridged interface.
>
> for example:
>
> machine 1 -> Bridged interface FreeBSD 10 -> machine 2.
>
> machine 1 - 192.168.20.20
> machine 2 - 192.168.20.25
>
> now I set something like this in /etc/ipfw.rules:
>
> $IPFWcmd add deny all from 192.168.20.20/24 to any
> $IPFWcmd add deny all from any to 192.168.20.20/24
>
> where both machine 1 and machine 2 are on said subnet and already work.
Please confirm that these two are only connected via two interfaces on
the bridge/ipfw box, with no switch involved? And that these rules,
once working, should deny traffic between ANY hosts in this /24 subnet?
> when I reload the rules, I am unable to stop a connection between
> machine 1 and machine 2.
>
> I've already made sure that ipfw is running(loaded), and the rules
> appear to take, and even show up with "ipfw show".
>
> # ipfw show
> ...
> 01700 0 0 deny ip from 192.168.20.0/24 to any
> 01800 0 0 deny ip from any to 192.168.20.0/24
> 65535 9227 11389032 allow ip from any to any
>
> However, there is no effect on data travelling over the pipe at all.
>
> This setup was confirmed many times to work with FreeBSD 9.2, but it
> does not work on 10. any help is appreciated.
What values are set for these sysctls?
net.link.ether.ipfw: 0
Controls whether layer-2 packets are passed to ipfw. Default is
no.
net.link.bridge.ipfw: 0
Controls whether bridged packets are passed to ipfw. Default is
no.
cheers, Ian
More information about the freebsd-ipfw
mailing list