5.4 -- bridging, ipfw, dot1q

Glenn Dawson glenn at antimatter.net
Fri Aug 12 05:01:06 GMT 2005

At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote:
>Okay, here's the situation.  PLEASE let me know if there's a better place 
>to ask.  (isp@, kernel@, something)
>I'm setting up a bridging firewall where the packets are passing through 
>on dot1q trunks.
>The bridge works.  Packet counts work (so I assume the bridge at least 
>sees the packets).
>Problem is, any "reasonable" rules (such as those which actually say to 
>block traffic by ip or port or anything) aren't working at all.  Not even 
>logging counts.
>Setting the "bridged" flag doesn't seem to help.

Which "bridged" flag would that be?

>My only guess is that ipfw doesn't have the brains to look beyond the VLAN 
>tags.  Is this the case?  Is this supported under 4.x, or is there any way 
>AT ALL that I can get this to work?

What version are you using?  You mention 4.x here, but your subject line 
suggests 5.4.

>As a note, snort and trafshow and everything else work fine analyzing the 
>bridge traffic, it seems only the kernel has an issue.

Do you have the net.link.ether.bridge_ipfw sysctl set to 1?


