Bridging and IPFW

George Breahna freebsd at top-consulting.net
Wed Jun 1 01:16:04 PDT 2005


Hey guys, hope I posted this to the right list!

I recently installed version 5.4 on a computer that acts as a
gateway/firewall/bridge for a LAN.

There are 30 or so computers sitting behind interface rl1 which has no IP
address assigned.

rl1 is bridged to rl0 which is the external interface and which has all the
proper IP's assigned.

The bridge is functioning perfectly but the problem comes when I try to
filter - using ipfw - by MAC address.

Here are the relevant sysctl variables ( hope I set them all! )

net.link.ether.bridge.enable: 1
net.link.ether.bridge.config: rl0:0,rl1:0
net.link.ether.bridge_ipfw: 1
net.link.ether.ipfw: 1

According to what I have read, using ipfw2 I should now be able to properly
filter by MAC address..so I wrote up some rules!

$IPFW 10 add allow ip from any to any MAC any 00:0E:A6:02:4D:A4
$IPFW 10 add allow ip from any to any MAC 00:0E:A6:02:4D:A4 any

The problem is that I am getting hits on only ONE of these rules and that's
the first one. Nothing hits the second one!
In total I have 3 rules - these two and the last one which is allow ip from
any to any

So it looks like this:

00010    142169    205532194 allow ip from any to any MAC any
00:0e:a6:02:4d:a4
00010         0            0 allow ip from any to any MAC 00:0e:a6:02:4d:a4
any
65535 194369376 164135836653 allow ip from any to any


I have tried adding various other options, like in via rl1, out via rl1,
bridged, etc to no avail. Second rule isn't hit by anything!

Theoretically, it should be - if I add rule #20 that says deny ip from any
to any, my computer can no longer pass through the gateway although my MAC
is listed in rule #10.

I really am at a loss of ideas as to what might be causing this, especially
since I already did this one and it worked fine on 4.10.

Any input would be appreciated.

Thanks!
George



More information about the freebsd-questions mailing list