5.4 -- bridging, ipfw, dot1q

Dan Mahoney, System Admin danm at prime.gushi.org
Fri Aug 12 05:16:30 GMT 2005

On Thu, 11 Aug 2005, Glenn Dawson wrote:

> At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote:
>> Okay, here's the situation.  PLEASE let me know if there's a better place 
>> to ask.  (isp@, kernel@, something)
>> I'm setting up a bridging firewall where the packets are passing through on 
>> dot1q trunks.
>> The bridge works.  Packet counts work (so I assume the bridge at least sees 
>> the packets).
>> Problem is, any "reasonable" rules (such as those which actually say to 
>> block traffic by ip or port or anything) aren't working at all.  Not even 
>> logging counts.
>> Setting the "bridged" flag doesn't seem to help.
> Which "bridged" flag would that be?

In the ipfw rule in question (which the ipfw command turns into layer2)


fw# ipfw add 310 count ip from any to bridged
00310 count ip from any to layer2

fw# ipfw show
00200          0            0 deny udp from any to any dst-port 1433
00300        971        47200 deny tcp from any to any dst-port 1433
00310          0            0 count ip from any to layer2
00330  144629234  70747652177 count ip from any to any layer2
00340          0            0 count ip from any to layer2
00350    1146497    505249814 count ip from any to via em1
00360  154009046  73153382415 allow log logamount 100 ip from any to any
65535 1078777549 484619628567 allow ip from any to any

(such a rule would report zero traffic, even when trafshow, snort, tcpdump 
all show there's a ton).

>> My only guess is that ipfw doesn't have the brains to look beyond the VLAN 
>> tags.  Is this the case?  Is this supported under 4.x, or is there any way 
>> AT ALL that I can get this to work?
> What version are you using?  You mention 4.x here, but your subject line 
> suggests 5.4.

Yes, I'm running 5.4, but asking if it may have been supported earlier on 
in the OS (with ipfw1 -- since I know it lacks the ability to even really 
do many mac-like things).

>> As a note, snort and trafshow and everything else work fine analyzing the 
>> bridge traffic, it seems only the kernel has an issue.
> Do you have the net.link.ether.bridge_ipfw sysctl set to 1?

fw# sysctl -a|grep net|grep ipfw
net.link.ether.bridge.ipfw: 1
net.link.ether.bridge.ipfw_drop: 0
net.link.ether.bridge.ipfw_collisions: 1021
net.link.ether.bridge_ipfw: 1
net.link.ether.ipfw: 0

Need anything else?



