Re: Network bridge on current.

2000-09-28 Thread Peter S. Housel

 I am wondering how to do network bridging on current.  The description
 in the handbook seems to be out of date as the sysctl IODs are no longer
 in evidence.  Does loading ng_bridge substitute for building the kernel
 with OPTIONS BRIDGE?

Excuse my ignorance (and curiousity), but wouldn't it be cheaper to
just buy a switch?

Cheers,
-Peter S. Housel-  [EMAIL PROTECTED]  http://members.home.com/housel/



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: Network bridge on current.

2000-09-28 Thread Boyd R. Faulkner

On Thu, Sep 28, 2000 at 12:11:54AM -0700, Peter S. Housel wrote:
  I am wondering how to do network bridging on current.  The description
  in the handbook seems to be out of date as the sysctl IODs are no longer
  in evidence.  Does loading ng_bridge substitute for building the kernel
  with OPTIONS BRIDGE?
 
 Excuse my ignorance (and curiousity), but wouldn't it be cheaper to
 just buy a switch?
 
 Cheers,
 -Peter S. Housel-  [EMAIL PROTECTED]  http://members.home.com/housel/

I intend to use it as a firewall.  The switch will live behind it.

Boyd

-- 
Boyd Faulkner   "...but the chocolate at
   [EMAIL PROTECTED]  Rumpelmayer's is great..."
http://asgard.hos.net/~faulkner -- A. Crowley  Book of Lies 
   1011101



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: Network bridge on current.

2000-09-28 Thread Julian Elischer

h,

 netgraph's bridging code is more direct but it can not 
do IP filtering on the packets that are en-route. This is because it
is a purely MAC-layer service.

I am not sure about Luigi's bridging code. I know the dummynet stuff
seems to connect with the ipfw code but I don't think that the 
bridge code does... (I may be wrong) So I don't know how you plan on
filtering the bridged segments..


On Thu, 28 Sep 2000, Boyd R. Faulkner wrote:

 On Thu, Sep 28, 2000 at 12:11:54AM -0700, Peter S. Housel wrote:
   I am wondering how to do network bridging on current.  The description
   in the handbook seems to be out of date as the sysctl IODs are no longer
   in evidence.  Does loading ng_bridge substitute for building the kernel
   with OPTIONS BRIDGE?
  
  Excuse my ignorance (and curiousity), but wouldn't it be cheaper to
  just buy a switch?
  
  Cheers,
  -Peter S. Housel-  [EMAIL PROTECTED]  http://members.home.com/housel/
 
 I intend to use it as a firewall.  The switch will live behind it.
 
 Boyd
 
 -- 
 Boyd Faulkner   "...but the chocolate at
[EMAIL PROTECTED]  Rumpelmayer's is great..."
 http://asgard.hos.net/~faulkner -- A. Crowley  Book of Lies 
1011101
 
 
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with "unsubscribe freebsd-current" in the body of the message
 



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: Network bridge on current.

2000-09-28 Thread Dan Nelson

In the last episode (Sep 28), Julian Elischer said:
 On Thu, 28 Sep 2000, Boyd R. Faulkner wrote:
  On Thu, Sep 28, 2000 at 12:11:54AM -0700, Peter S. Housel wrote:
   On Thu, 28 Sep 2000, Boyd R. Faulkner wrote:
I am wondering how to do network bridging on current.  The
description in the handbook seems to be out of date as the
sysctl IODs are no longer in evidence.  Does loading ng_bridge
substitute for building the kernel with OPTIONS BRIDGE?
   
   Excuse my ignorance (and curiousity), but wouldn't it be cheaper
   to just buy a switch?
  
  I intend to use it as a firewall.  The switch will live behind it.

 I am not sure about Luigi's bridging code. I know the dummynet stuff
 seems to connect with the ipfw code but I don't think that the bridge
 code does... (I may be wrong) So I don't know how you plan on
 filtering the bridged segments..

ipfw definitely supports filtering bridged packets;  there's even a
"bridge" keyword to match them explicitly.

-- 
Dan Nelson
[EMAIL PROTECTED]


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: Network bridge on current.

2000-09-28 Thread Bill Fumerola

On Thu, Sep 28, 2000 at 12:38:40AM -0700, Julian Elischer wrote:

 I am not sure about Luigi's bridging code. I know the dummynet stuff
 seems to connect with the ipfw code but I don't think that the 
 bridge code does... (I may be wrong) So I don't know how you plan on
 filtering the bridged segments..

You are wrong, but we'll forgive you. :-

from bridge(4):

 net.link.ether.bridge_ipfw

 Set to 1 to enable ipfw filtering on bridged packets.  Note that ipfw
 rules only apply to IP packets.

from ipfw(8):

 Each incoming or outgoing packet is passed through the ipfw rules.  If
 host is acting as a gateway, packets forwarded by the gateway are pro-
 cessed by ipfw twice.  In case a host is acting as a bridge, packets for-
 warded by the bridge are processed by ipfw once.

the 'bridged' keyword can be used to match only bridged packets, so:

ipfw add allow tcp from any to any 22 setup bridged
ipfw add allow tcp from any 22 to any established bridged

would allow ssh over a bridge, but in the absence of other rules, wouldn't
allow it to the actual machine (or if the machine is also a router(?!) it
wouldn't route ssh sessions either.)

-- 
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
[EMAIL PROTECTED] / [EMAIL PROTECTED]




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: Network bridge on current.

2000-09-28 Thread Boyd R. Faulkner

Alas, net.link.ether.bridge(_ipfw) are no longer settable via sysctl.  That is
my main problem.  I cannot do what the documentation says.  Unfortunately,
I cannot even test what I have until tonight as the machine for the other
side of the bridge has no video.  I stole it, AGP, to replace the PCI
card so I would have room for another network card.

Thanks again,
Boyd

On Thu, Sep 28, 2000 at 10:40:14AM -0400, Bill Fumerola wrote:
 On Thu, Sep 28, 2000 at 12:38:40AM -0700, Julian Elischer wrote:
 
  I am not sure about Luigi's bridging code. I know the dummynet stuff
  seems to connect with the ipfw code but I don't think that the 
  bridge code does... (I may be wrong) So I don't know how you plan on
  filtering the bridged segments..
 
 You are wrong, but we'll forgive you. :-
 
 from bridge(4):
 
  net.link.ether.bridge_ipfw
 
  Set to 1 to enable ipfw filtering on bridged packets.  Note that ipfw
  rules only apply to IP packets.
 
 from ipfw(8):
 
  Each incoming or outgoing packet is passed through the ipfw rules.  If
  host is acting as a gateway, packets forwarded by the gateway are pro-
  cessed by ipfw twice.  In case a host is acting as a bridge, packets for-
  warded by the bridge are processed by ipfw once.
 
 the 'bridged' keyword can be used to match only bridged packets, so:
 
   ipfw add allow tcp from any to any 22 setup bridged
   ipfw add allow tcp from any 22 to any established bridged
 
 would allow ssh over a bridge, but in the absence of other rules, wouldn't
 allow it to the actual machine (or if the machine is also a router(?!) it
 wouldn't route ssh sessions either.)
 
 -- 
 Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
 [EMAIL PROTECTED] / [EMAIL PROTECTED]
 
 
 
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with "unsubscribe freebsd-current" in the body of the message
Boyd

-- 
Boyd Faulkner   "...but the chocolate at
   [EMAIL PROTECTED]  Rumpelmayer's is great..."
http://asgard.hos.net/~faulkner -- A. Crowley  Book of Lies 
   1011101



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: Network bridge on current.

2000-09-28 Thread Siobhan Patricia Lynch

On Thu, 28 Sep 2000, Julian Elischer wrote:

I would assume that code hasn;t changed, it works with ipfw, man bridge:

 options BRIDGE

 in the kernel config file, and is controlled by two sysctl variables:

 net.link.ether.bridge

 Set to 1 to enable bridging, set to 0 to disable it

 net.link.ether.bridge_ipfw


I assume he's trying to mimic my slashdot kludge, which I wouldn;t
recommend unless the issue is you can;t change the network topology.

-Trish

 h,
 
  netgraph's bridging code is more direct but it can not 
 do IP filtering on the packets that are en-route. This is because it
 is a purely MAC-layer service.
 
 I am not sure about Luigi's bridging code. I know the dummynet stuff
 seems to connect with the ipfw code but I don't think that the 
 bridge code does... (I may be wrong) So I don't know how you plan on
 filtering the bridged segments..
 
 
 On Thu, 28 Sep 2000, Boyd R. Faulkner wrote:
 
  On Thu, Sep 28, 2000 at 12:11:54AM -0700, Peter S. Housel wrote:
I am wondering how to do network bridging on current.  The description
in the handbook seems to be out of date as the sysctl IODs are no longer
in evidence.  Does loading ng_bridge substitute for building the kernel
with OPTIONS BRIDGE?
   
   Excuse my ignorance (and curiousity), but wouldn't it be cheaper to
   just buy a switch?
   
   Cheers,
   -Peter S. Housel-  [EMAIL PROTECTED]  http://members.home.com/housel/
  
  I intend to use it as a firewall.  The switch will live behind it.
  
  Boyd
  
  -- 
  Boyd Faulkner   "...but the chocolate at
 [EMAIL PROTECTED]  Rumpelmayer's is great..."
  http://asgard.hos.net/~faulkner -- A. Crowley  Book of Lies 
 1011101
  
  
  
  To Unsubscribe: send mail to [EMAIL PROTECTED]
  with "unsubscribe freebsd-current" in the body of the message
  
 
 
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with "unsubscribe freebsd-current" in the body of the message
 

__

Trish Lynch
FreeBSD - The Power to Serve[EMAIL PROTECTED]
Rush Networking [EMAIL PROTECTED]
VA Linux Systems[EMAIL PROTECTED]
O|S|D|N [EMAIL PROTECTED]
---

"I said 'If love has these conditions, 
 I don't understand those songs you love.'
 She said 'This is not a love song
 This isn't fantasyland.'"
-Rush, Cold Fire



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: Network bridge on current.

2000-09-28 Thread Siobhan Patricia Lynch

On Thu, 28 Sep 2000, Siobhan Patricia Lynch wrote:

uhoh, on a related note, I missed something, the sysctl's have been taken
out? I definitely missed something. when did this happen?

-Trish


 On Thu, 28 Sep 2000, Julian Elischer wrote:
 
 I would assume that code hasn;t changed, it works with ipfw, man bridge:
 
  options BRIDGE
 
  in the kernel config file, and is controlled by two sysctl variables:
 
  net.link.ether.bridge
 
  Set to 1 to enable bridging, set to 0 to disable it
 
  net.link.ether.bridge_ipfw
 
 
 I assume he's trying to mimic my slashdot kludge, which I wouldn;t
 recommend unless the issue is you can;t change the network topology.
 
 -Trish
 
  h,
  
   netgraph's bridging code is more direct but it can not 
  do IP filtering on the packets that are en-route. This is because it
  is a purely MAC-layer service.
  
  I am not sure about Luigi's bridging code. I know the dummynet stuff
  seems to connect with the ipfw code but I don't think that the 
  bridge code does... (I may be wrong) So I don't know how you plan on
  filtering the bridged segments..
  
  
  On Thu, 28 Sep 2000, Boyd R. Faulkner wrote:
  
   On Thu, Sep 28, 2000 at 12:11:54AM -0700, Peter S. Housel wrote:
 I am wondering how to do network bridging on current.  The description
 in the handbook seems to be out of date as the sysctl IODs are no longer
 in evidence.  Does loading ng_bridge substitute for building the kernel
 with OPTIONS BRIDGE?

Excuse my ignorance (and curiousity), but wouldn't it be cheaper to
just buy a switch?

Cheers,
-Peter S. Housel-  [EMAIL PROTECTED]  http://members.home.com/housel/
   
   I intend to use it as a firewall.  The switch will live behind it.
   
   Boyd
   
   -- 
   Boyd Faulkner   "...but the chocolate at
  [EMAIL PROTECTED]  Rumpelmayer's is great..."
   http://asgard.hos.net/~faulkner -- A. Crowley  Book of Lies 
  1011101
   
   
   
   To Unsubscribe: send mail to [EMAIL PROTECTED]
   with "unsubscribe freebsd-current" in the body of the message
   
  
  
  
  To Unsubscribe: send mail to [EMAIL PROTECTED]
  with "unsubscribe freebsd-current" in the body of the message
  
 
 __
 
 Trish Lynch
 FreeBSD - The Power to Serve  [EMAIL PROTECTED]
 Rush Networking   [EMAIL PROTECTED]
 VA Linux Systems  [EMAIL PROTECTED]
 O|S|D|N   [EMAIL PROTECTED]
 ---
 
   "I said 'If love has these conditions, 
I don't understand those songs you love.'
She said 'This is not a love song
This isn't fantasyland.'"
   -Rush, Cold Fire
 
 
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with "unsubscribe freebsd-current" in the body of the message
 

__

Trish Lynch
FreeBSD - The Power to Serve[EMAIL PROTECTED]
Rush Networking [EMAIL PROTECTED]
VA Linux Systems[EMAIL PROTECTED]
O|S|D|N [EMAIL PROTECTED]
---

"Can't let them rape me again
 Your venom's not family here
 won't let them fill me with
 fatalistic remedies"
-Dream Theater, Scarred



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message



Re: Network bridge on current.

2000-09-28 Thread Boyd R. Faulkner

Never mind.  I had not updated the boot blocks and was not running the
right kernel.  That was an adventure!

Sorry for the noise and thanks.
Boyd

On Thu, Sep 28, 2000 at 09:41:15PM -0400, Siobhan Patricia Lynch wrote:
 On Thu, 28 Sep 2000, Julian Elischer wrote:
 
 I would assume that code hasn;t changed, it works with ipfw, man bridge:
 
  options BRIDGE
 
  in the kernel config file, and is controlled by two sysctl variables:
 
  net.link.ether.bridge
 
  Set to 1 to enable bridging, set to 0 to disable it
 
  net.link.ether.bridge_ipfw
 
 
 I assume he's trying to mimic my slashdot kludge, which I wouldn;t
 recommend unless the issue is you can;t change the network topology.
 
 -Trish
 
  h,
  
   netgraph's bridging code is more direct but it can not 
  do IP filtering on the packets that are en-route. This is because it
  is a purely MAC-layer service.
  
  I am not sure about Luigi's bridging code. I know the dummynet stuff
  seems to connect with the ipfw code but I don't think that the 
  bridge code does... (I may be wrong) So I don't know how you plan on
  filtering the bridged segments..
  
  
  On Thu, 28 Sep 2000, Boyd R. Faulkner wrote:
  
   On Thu, Sep 28, 2000 at 12:11:54AM -0700, Peter S. Housel wrote:
 I am wondering how to do network bridging on current.  The description
 in the handbook seems to be out of date as the sysctl IODs are no longer
 in evidence.  Does loading ng_bridge substitute for building the kernel
 with OPTIONS BRIDGE?

Excuse my ignorance (and curiousity), but wouldn't it be cheaper to
just buy a switch?

Cheers,
-Peter S. Housel-  [EMAIL PROTECTED]  http://members.home.com/housel/
   
   I intend to use it as a firewall.  The switch will live behind it.
   
   Boyd
   
   -- 
   Boyd Faulkner   "...but the chocolate at
  [EMAIL PROTECTED]  Rumpelmayer's is great..."
   http://asgard.hos.net/~faulkner -- A. Crowley  Book of Lies 
  1011101
   
   
   
   To Unsubscribe: send mail to [EMAIL PROTECTED]
   with "unsubscribe freebsd-current" in the body of the message
   
  
  
  
  To Unsubscribe: send mail to [EMAIL PROTECTED]
  with "unsubscribe freebsd-current" in the body of the message
  
 
 __
 
 Trish Lynch
 FreeBSD - The Power to Serve  [EMAIL PROTECTED]
 Rush Networking   [EMAIL PROTECTED]
 VA Linux Systems  [EMAIL PROTECTED]
 O|S|D|N   [EMAIL PROTECTED]
 ---
 
   "I said 'If love has these conditions, 
I don't understand those songs you love.'
She said 'This is not a love song
This isn't fantasyland.'"
   -Rush, Cold Fire
Boyd

-- 
Boyd Faulkner   "...but the chocolate at
   [EMAIL PROTECTED]  Rumpelmayer's is great..."
http://asgard.hos.net/~faulkner -- A. Crowley  Book of Lies 
   1011101



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message