On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote: > On 09/30/2014 01:29 AM, Ian Smith wrote: > > On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote: > > > We are having trouble getting ipfw to work over a bridged interface. > > > > > > for example: > > > > > > machine 1 -> Bridged interface FreeBSD 10 -> machine 2. > > > > > > machine 1 - 192.168.20.20 > > > machine 2 - 192.168.20.25 > > > > > > now I set something like this in /etc/ipfw.rules: > > > > > > $IPFWcmd add deny all from 192.168.20.20/24 to any > > > $IPFWcmd add deny all from any to 192.168.20.20/24 > > > > > > where both machine 1 and machine 2 are on said subnet and already work. > > > > Please confirm that these two are only connected via two interfaces on > > the bridge/ipfw box, with no switch involved? And that these rules, > > once working, should deny traffic between ANY hosts in this /24 subnet? > > > > > when I reload the rules, I am unable to stop a connection between > > > machine 1 and machine 2. > > > > > > I've already made sure that ipfw is running(loaded), and the rules > > > appear to take, and even show up with "ipfw show". > > > > > > # ipfw show > > > ... > > > 01700 0 0 deny ip from 192.168.20.0/24 to any > > > 01800 0 0 deny ip from any to 192.168.20.0/24 > > > 65535 9227 11389032 allow ip from any to any > > > > > > However, there is no effect on data travelling over the pipe at all. > > > > > > This setup was confirmed many times to work with FreeBSD 9.2, but it > > > does not work on 10. any help is appreciated. > > > > What values are set for these sysctls? > > > > net.link.ether.ipfw: 0 > > Controls whether layer-2 packets are passed to ipfw. Default > > is > > no. > > > > net.link.bridge.ipfw: 0 > > Controls whether bridged packets are passed to ipfw. Default > > is > > no. > > > > cheers, Ian > > on 192.168.20.0/24 the network was set up soley as a test network. It is > compromised of two load-generating machines on either side(192.168.20.20 > and 192.168.20.25), and a FreeBSD 10 machine in the middle which has a > double headed fibre nic bridged to connect both machines through the > FreeBSD 10 machine. > > # sysctl net.link.bridge.ipfw > net.link.bridge.ipfw: 1 > > # sysctl net.link.ether.ipfw > net.link.ether.ipfw: 0 > > > furthermore, I am unable to find a good guide or refrence material to > sysctl options.
Jack, I'm posting this back to the list. I haven't set up a filtering bridge since about 2005, and that was with the old bridge(?) on FreeBSD 4.8 and 4.10, rather than if_bridge(4). I really can't recall whether net.link.ether.ipfw also needed to be set. Since 'bridged' is a synonym for 'layer2', I'm not clear from ipfw(8) either .. nor from if_bridge(4), especially regarding use of the net.link.bridge.pfil_* sysctls - but some people here will know .. cheers, Ian _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"