Re: ipfw2 filtering on bridge
Ben wrote: I'm sorry, I can't send this to the list because my messages to the list bounce because reverse DNS isn't set up. No worries, thanks a lot for answering. This is funny, I just set this up for the first time yesterday except I set everything up to have no IP addresses so that the firewall would be invisible to anyone. I think I see what is wrong with your setup... You've got to change net.link.ether.bridge_ipfw=1 to net.link.ether.bridge.ipfw=1 in /etc/sysctl.conf. The handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html) says that net.link.ether.bridge_ipfw=1 was updated in 5.2-RELEASE. net.link.ether.bridge.enable=1 net.link.ether.bridge.config=fxp0,fxp1 net.link.ether.bridge_ipfw=1 # sysctl net.link.ether.bridge.ipfw=1 net.link.ether.bridge.ipfw: 1 - 1 # # ipfw add deny icmp from any to any 00100 deny icmp from any to any # # ipfw show 00100 0 0 deny icmp from any to any 65535 931748 651891769 allow ip from any to any # PING EXT_IP_BEHIND_BRIDGE: 56 data bytes 64 bytes from EXT_IP_BEHIND_BRIDGE: icmp_seq=0 ttl=233 time=74.399 ms 64 bytes from EXT_IP_BEHIND_BRIDGE: icmp_seq=1 ttl=233 time=106.194 ms Seems not to be working :( Yours, -- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA It is dangerous to be right when the government is wrong. - Voltaire ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw2 filtering on bridge
Hi there, I've been running into some problems with what is supposed to be a filtering bridge with IPFW, on FreeBSD 5.4-REL0. IPFW has been compiled into kernel: options BRIDGE options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT along with the bridging capability. No other firewalling mechanisms are enabled. The bridge is configured and working: net.link.ether.bridge.enable=1 net.link.ether.bridge.config=fxp0,vr0 net.link.ether.bridge_ipfw=1 fxp0 is Internet vr0 is a server with an external IP, called EXT_IP I tried blocking with trivial ruleset: 001000 0 deny icmp from any to any 65535 8518 584248 allow ip from any to any However, pinging through the bridge, from the Internet, works without fear: 64 bytes from EXT_IP: icmp_seq=0 ttl=233 time=85.994 ms 64 bytes from EXT_IP: icmp_seq=1 ttl=233 time=96.220 ms If anyone could help me a bit, I'd be really thankfull. Thanks for the time. Yours Sincerely, -- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA It is dangerous to be right when the government is wrong. - Voltaire ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]