if_bridge and ipfw

Dave McCammon davemac11 at yahoo.com
Tue Jul 3 16:19:21 UTC 2007

I can't seem to grasp why this is working differently.
FreeBSD 6.2 using ipfw + if_bridge

LAN -- em1(if_bridge + ipfw)em0 -- internet

so I am at and try to ping say www.yahoo.com

in ruleset:
1100 allow icmp from any to{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
2100 allow ip from to any in via em1

gets dropped by following rule as shown in logs:

4700 deny log ip from any to any

Log entry: ipfw: 4700 Deny ICMP:8.0 out via em0

If I add this rule all works great:

2101 allow icmp from to any icmptypes 8

My confusion is shouldn't the icmp be allowed in rule 2100? Or is it with if_bridge I have to make a rule for
both interfaces.

The rule "2100 allow ip from to any in via em1" allowed the icmp passage,
out of em0 through the bridge in 6.2 using bridge(4).

This entire ruleset is the same with if_bridge as has been working with bridge(4).
I just moved to if_bridge since the bridge(4) is obsolete.

Thanks for your help.

Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.

More information about the freebsd-questions mailing list