5.4 -- bridging, ipfw, dot1q
Okay, here's the situation. PLEASE let me know if there's a better place to ask. (isp@, kernel@, something) I'm setting up a bridging firewall where the packets are passing through on dot1q trunks. The bridge works. Packet counts work (so I assume the bridge at least sees the packets). Problem is, any reasonable rules (such as those which actually say to block traffic by ip or port or anything) aren't working at all. Not even logging counts. Setting the bridged flag doesn't seem to help. My only guess is that ipfw doesn't have the brains to look beyond the VLAN tags. Is this the case? Is this supported under 4.x, or is there any way AT ALL that I can get this to work? As a note, snort and trafshow and everything else work fine analyzing the bridge traffic, it seems only the kernel has an issue. -- Of course she's gonna be upset! You're dealing with a woman here Dan, what the hell's wrong with you? -S. Kennedy, 11/11/01 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 5.4 -- bridging, ipfw, dot1q
At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote: Okay, here's the situation. PLEASE let me know if there's a better place to ask. (isp@, kernel@, something) I'm setting up a bridging firewall where the packets are passing through on dot1q trunks. The bridge works. Packet counts work (so I assume the bridge at least sees the packets). Problem is, any reasonable rules (such as those which actually say to block traffic by ip or port or anything) aren't working at all. Not even logging counts. Setting the bridged flag doesn't seem to help. Which bridged flag would that be? My only guess is that ipfw doesn't have the brains to look beyond the VLAN tags. Is this the case? Is this supported under 4.x, or is there any way AT ALL that I can get this to work? What version are you using? You mention 4.x here, but your subject line suggests 5.4. As a note, snort and trafshow and everything else work fine analyzing the bridge traffic, it seems only the kernel has an issue. Do you have the net.link.ether.bridge_ipfw sysctl set to 1? -Glenn -- Of course she's gonna be upset! You're dealing with a woman here Dan, what the hell's wrong with you? -S. Kennedy, 11/11/01 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 5.4 -- bridging, ipfw, dot1q
On Thu, 11 Aug 2005, Glenn Dawson wrote: At 09:08 PM 8/11/2005, Dan Mahoney, System Admin wrote: Okay, here's the situation. PLEASE let me know if there's a better place to ask. (isp@, kernel@, something) I'm setting up a bridging firewall where the packets are passing through on dot1q trunks. The bridge works. Packet counts work (so I assume the bridge at least sees the packets). Problem is, any reasonable rules (such as those which actually say to block traffic by ip or port or anything) aren't working at all. Not even logging counts. Setting the bridged flag doesn't seem to help. Which bridged flag would that be? In the ipfw rule in question (which the ipfw command turns into layer2) i.e. fw# ipfw add 310 count ip from any to 56.199.242.178 bridged 00310 count ip from any to 56.199.242.178 layer2 fw# ipfw show 00200 00 deny udp from any to any dst-port 1433 0030097147200 deny tcp from any to any dst-port 1433 00310 00 count ip from any to 56.199.242.178 layer2 00330 144629234 70747652177 count ip from any to any layer2 00340 00 count ip from any to 56.199.242.82 layer2 003501146497505249814 count ip from any to 55.125.224.0/19 via em1 00360 154009046 73153382415 allow log logamount 100 ip from any to any 65535 1078777549 484619628567 allow ip from any to any (such a rule would report zero traffic, even when trafshow, snort, tcpdump all show there's a ton). My only guess is that ipfw doesn't have the brains to look beyond the VLAN tags. Is this the case? Is this supported under 4.x, or is there any way AT ALL that I can get this to work? What version are you using? You mention 4.x here, but your subject line suggests 5.4. Yes, I'm running 5.4, but asking if it may have been supported earlier on in the OS (with ipfw1 -- since I know it lacks the ability to even really do many mac-like things). As a note, snort and trafshow and everything else work fine analyzing the bridge traffic, it seems only the kernel has an issue. Do you have the net.link.ether.bridge_ipfw sysctl set to 1? fw# sysctl -a|grep net|grep ipfw net.link.ether.bridge.ipfw: 1 net.link.ether.bridge.ipfw_drop: 0 net.link.ether.bridge.ipfw_collisions: 1021 net.link.ether.bridge_ipfw: 1 net.link.ether.ipfw: 0 Need anything else? -Dan -- The first annual 5th of July party...have you been invited? It's a Jack Party. Okay, so Long Island's been invited. --Cali and Gushi, 6/23/02 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
