FBSD6 if_bridge

Bruce A. Mah bmah at freebsd.org
Sat Dec 3 01:02:59 GMT 2005 

If memory serves me right, David Pierron wrote:

> Ah!  I applied those settings to rc.conf and got the following results:
> 
> fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> 	options=8<VLAN_MTU>
> 	inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp0 prefixlen 64 scopeid 0x1 
> 	ether xx:xx:xx:xx:xx:xx
> 	media: Ethernet autoselect (none)
> 	status: no carrier
> fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> 	options=8<VLAN_MTU>
> 	inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp1 prefixlen 64 scopeid 0x2 
> 	ether xx:xx:xx:xx:xx:xx
> 	media: Ethernet autoselect (none)
> 	status: no carrier

OK, this looks better.  No guarantees but I'm pretty sure it would never
have worked before.  Hopefully this will at least get you closer.

> I can't wait until the wee hours to test this!  They do seem to have 
> IPV6 addresses ... Can I shut that off?  Comment out IPV6 in the 
> kernel?  I don't need IPV6 ...

If you really want them gone, then you probably need to comment out IPv6
from your kernel.

Those are IPv6 "link local" addresses...they are designed for two nodes
on the same subnet to communicate with each other even if there is no
other addressing/routing infrastructure (to assign globally-visible
addresses, etc.).  The closest analog in the IPv4 world is the
169.254.0.0/16 range of addresses used by machines to communicate on a
subnet when they can't get (e.g.) DHCP addresses.

If there's no way for anybody to get an IPv6 packet to either fxp0 or
fxp1, I wouldn't worry about it, but I have to admit I'm not 100% sure
what the security implications of the link local addresses are.

> I see my:
> 
> pass  in  on $mgt_if proto tcp from any to $mgt_if port 80 keep state
> 
> expands out to two rules, one for inet and another for inet6 ...
> 
> or change the command to:
> 
> pass  in  on $mgt_if inet proto tcp from any to $mgt_if port 80 keep state
> 
> I shouldn't have to worry about IPV6 ...

I don't think that having the inet and inet6 rules hurt you except
(maybe) for performance.  My bridge actually does filter IPv6 traffic
(it's a tunnel endpoint) so it really does need those.

> Anyway, I'll report on the ifconfig_inf(x)="up" and see if that is the ticket ...

Looking forward to hearing the good news...

Bruce.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20051202/4d64804f/signature.bin

More information about the freebsd-pf mailing list