ipfw with if_bridge oddity
Dave McCammon
davemac11 at yahoo.com
Fri Jul 6 16:05:55 UTC 2007
I got nothing from questions@ so I'm posting here.
I can't seem to grasp why this is working differently.
FreeBSD 6.2 using ipfw + if_bridge
LAN -- em1(if_bridge + ipfw)em0 -- internet
I am at xx.xx.16.6 and try to ping say www.yahoo.com
in ruleset:
1100 allow icmp from any to xx.xx.16.0/27{1-10,13,14,19,22,23} icmptypes 0,3,11,12,13,14
2100 allow ip from xx.xx.16.0/27 to any in via em1
gets dropped by following rule as shown in logs:
4700 deny log ip from any to any
Log entry: ipfw: 4700 Deny ICMP:8.0 xx.xx.16.6 69.147.114.210 out via em0
If I add this rule all works great:
2101 allow icmp from xx.xx.16.0/27 to any recv em1
Why would the "recv em1" work and the "in via em1" get blocked?
I just changed from using bridge(4) to if_bridge using the same ruleset.
The rest of my ruleset seems to be working fine but this problem is causing me a little paranoia
about the effectiveness of the firewall.
Also, should I still be seeing "deny (snip) in via bridge0" messages in by logs
if I have this set "net.link.bridge.pfil_bridge: 0"?
Thanks for your help.
dave
____________________________________________________________________________________
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
http://farechase.yahoo.com/
More information about the freebsd-stable
mailing list