On Fri, 22 Dec 2000, Joost Bekkers wrote:
>
> >Submitter-Id: current-users
> >Originator: Joost Bekkers
> >Organization:
> >Confidential: no
> >Synopsis: bridge/firewall doesn't work as in bridge(4)
> >Severity: serious
> >Priority: medium
> >Category: kern
> >Release: FreeBSD 4.2-RELEASE i386
> >Class: sw-bug
> >Environment:
>
> 4.2 RELEASE with the options BRIDGE and IPFIREWALL.
>
> >Description:
>
> When using a kernel with BRIDGE and IPFIREWALL and not
> IPFIREWALL_DEFAULT_TO_ACCEPT, bridge(4) states all non-ip
> packets will not be forwarded. This is not true! All non-ip
> packets will be forwarded regardless of the firewall.
If anything, this is a bug in the man page. What the page really should
imply is that the 65536 rule at the end applies to ALL packets, not just
IP ones. If you set default to accept, then all non-IP will be
accepted. If you don't, then all non-IP will be rejected.
> BRIDGE opt_bdg.h
> + BRIDGE_IP_ONLY opt_bdg.h
> + BRIDGE_ALLOW_ARP opt_bdg.h
> + BRIDGE_ALLOW_RARP opt_bdg.h
This can be done at run-time on a per-Ethernet-protocol-number basis. See
the top of src/etc/rc.firewall.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
