5.4 -- bridging, ipfw, dot1q

Dan Mahoney, System Admin danm at prime.gushi.org
Fri Aug 12 04:03:33 GMT 2005

Okay, here's the situation.  PLEASE let me know if there's a better place 
to ask.  (isp@, kernel@, something)

I'm setting up a bridging firewall where the packets are passing through 
on dot1q trunks.

The bridge works.  Packet counts work (so I assume the bridge at least 
sees the packets).

Problem is, any "reasonable" rules (such as those which actually say to 
block traffic by ip or port or anything) aren't working at all.  Not even 
logging counts.

Setting the "bridged" flag doesn't seem to help.

My only guess is that ipfw doesn't have the brains to look beyond the VLAN 
tags.  Is this the case?  Is this supported under 4.x, or is there any way 
AT ALL that I can get this to work?

As a note, snort and trafshow and everything else work fine analyzing the 
bridge traffic, it seems only the kernel has an issue.


"Of course she's gonna be upset!  You're dealing with a woman here Dan, 
what the hell's wrong with you?"

-S. Kennedy, 11/11/01

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the freebsd-questions mailing list