ipfw and if_bridge
davemac11 at yahoo.com
Thu Feb 9 09:46:36 PST 2006
I had my firewall crash using releng_6(sata
corruption/failure of some sort) and during rebuild I
decided to move to ipfw + if_bridge instead of using
ipfw + bridge(4) since bridge(4) is becoming obsolete.
Anyway, i had some problems getting ruleset to work.
I've cut ruleset down to pertinent parts to show what
I am seeing.
I have a system with 2 cards, em0 and em1, being used
as a filtering bridge. em0 faces router and em1 faces
network = 10.1.1.0/24
em0 address = (has none)
em1 address = 10.1.1.17
some internal lan machine = 10.1.1.12
add 100 pass layer2 mac-type arp
add 200 check state
add 300 deny log tcp from any to any established in
add 400 allow icmp from any to 10.1.1.0/24 icmptypes
add 500 pass tcp from 10.1.1.17 to any setup
add 600 pass udp from 10.1.1.17 to any keep-state
add 700 pass ip from 10.1.1.17 to any
add 800 deny log ip from 10.1.1.0/24 to any in via em0
add 900 pass tcp from 10.1.1.0/24 to any in via em1
add 1000 pass udp from 10.1.1.0/24 to any in via em1
add 1100 pass ip from 10.1.1.0/24 to any in via em1
add 1200 deny log ip from any to any
ifconfig_em1="inet 10.1.1.17 netmask 255.255.255.0"
ifconfig_bridge0="addm em0 addm em1 up"
With bridge(4) I could ping from inside
machine(10.1.1.12) to router or any other out-of-lan
After if_bridge i would get in logs after same ping
1200 Deny ICMP:8.0 10.1.1.12 to (router ip address)
out via em0
TCP outbound connections work.
After changing rulesets from "in via" to "recv", icmp
(ex: add 1100 pass ip from 10.1.1.0/24 to any recv
This blocking of the icmp packet out via em0 even
though the ruleset says to allow it because it came in
via em1 doesn't seem to be correct behavior to me. The
tcp/udp rulesets work even though there is
intermittant pop-ups in the logs saying the
connections were blocked out via em0.
Any enlightenment on this is appreciated.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
More information about the freebsd-questions