5.4 -- bridging, ipfw, dot1q
Dan Mahoney, System Admin
danm at prime.gushi.org
Fri Aug 12 05:16:30 GMT 2005
On Thu, 11 Aug 2005, Glenn Dawson wrote:
> At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote:
>> Okay, here's the situation. PLEASE let me know if there's a better place
>> to ask. (isp@, kernel@, something)
>> I'm setting up a bridging firewall where the packets are passing through on
>> dot1q trunks.
>> The bridge works. Packet counts work (so I assume the bridge at least sees
>> the packets).
>> Problem is, any "reasonable" rules (such as those which actually say to
>> block traffic by ip or port or anything) aren't working at all. Not even
>> logging counts.
>> Setting the "bridged" flag doesn't seem to help.
> Which "bridged" flag would that be?
In the ipfw rule in question (which the ipfw command turns into layer2)
fw# ipfw add 310 count ip from any to 18.104.22.168 bridged
00310 count ip from any to 22.214.171.124 layer2
fw# ipfw show
00200 0 0 deny udp from any to any dst-port 1433
00300 971 47200 deny tcp from any to any dst-port 1433
00310 0 0 count ip from any to 126.96.36.199 layer2
00330 144629234 70747652177 count ip from any to any layer2
00340 0 0 count ip from any to 188.8.131.52 layer2
00350 1146497 505249814 count ip from any to 184.108.40.206/19 via em1
00360 154009046 73153382415 allow log logamount 100 ip from any to any
65535 1078777549 484619628567 allow ip from any to any
(such a rule would report zero traffic, even when trafshow, snort, tcpdump
all show there's a ton).
>> My only guess is that ipfw doesn't have the brains to look beyond the VLAN
>> tags. Is this the case? Is this supported under 4.x, or is there any way
>> AT ALL that I can get this to work?
> What version are you using? You mention 4.x here, but your subject line
> suggests 5.4.
Yes, I'm running 5.4, but asking if it may have been supported earlier on
in the OS (with ipfw1 -- since I know it lacks the ability to even really
do many mac-like things).
>> As a note, snort and trafshow and everything else work fine analyzing the
>> bridge traffic, it seems only the kernel has an issue.
> Do you have the net.link.ether.bridge_ipfw sysctl set to 1?
fw# sysctl -a|grep net|grep ipfw
Need anything else?
"The first annual 5th of July party...have you been invited?"
"It's a Jack Party."
"Okay, so Long Island's been invited."
--Cali and Gushi, 6/23/02
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the freebsd-questions