Help me please (ipfw+bridge+freebsd 5.2.1)

Admin admin at spbu.ru
Mon May 17 05:23:21 PDT 2004 

Hello dear developments,

I have FreeBSD 5.2.1 release + bridge and ipfw.
I am a filter on interface (rl0 our net - all allow, rl1 - filtered)
If I enabled net.link.ether.bridge.ipfw=1, that firewall works only
local.
Needs filtering the bridge if I filter interfaces?

Sample: (81.89.68.130 - freebsd; 81.89.68.200 - my computer)
work:       00100 allow ip from any to any via lo0
work:       00200 allow ip from any to any via rl0
work:       00300 allow tcp from any to 81.89.68.130 dst-port 21,22,25,53,80,465,995 in via rl1
don't work: 01000 allow tcp from 212.48.140.177 8000 to 81.89.68.143 dst-port 1024-65535 in via rl1
don't work: 01100 allow tcp from 81.89.68.143 1024-65535 to 212.48.140.177 dst-port 8000 out via rl1
don't work: 02900 allow ip from any to 81.89.68.200 in via rl1
don't work: 02910 allow ip from 81.89.68.200 to any out via rl1
don't work: 02920 allow ip from any to 81.89.68.200 in via rl0
don't work: 02940 allow ip from 81.89.68.200 to any out via rl0
work:       65535 deny ip from any to any

Where this problems?

My settings:
mail# sysctl -a | grep fw
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.static_count: 34
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1
net.link.ether.bridge.ipfw: 1
net.link.ether.bridge.ipfw_drop: 0
net.link.ether.bridge.ipfw_collisions: 0
net.link.ether.bridge_ipfw: 1
net.link.ether.ipfw: 0

I tried to setup net.link.ether.ipfw=1 -  nothing do not change

mail# sysctl -a | grep bridge
net.link.ether.bridge.version: $Revision$ $Date$
net.link.ether.bridge.debug: 0
net.link.ether.bridge.ipf: 0
net.link.ether.bridge.ipfw: 1
net.link.ether.bridge.copy: 0
net.link.ether.bridge.ipfw_drop: 0
net.link.ether.bridge.ipfw_collisions: 0
net.link.ether.bridge.packets: 423251
net.link.ether.bridge.dropped: 0
net.link.ether.bridge.predict: 222548
net.link.ether.bridge.enable: 1
net.link.ether.bridge.config: rl0,rl1
net.link.ether.bridge_ipf: 0
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_cfg: rl0,rl1

Beforehand You is thanked.

P.S. This settings and rules firewall, beautifully worked on FreeBSD
4.6-RELEASE

-- 
Best regards,
 Admin                          mailto:admin at thermopribor.com

More information about the freebsd-questions mailing list