On Fri, 6 Jul 2007, Dave McCammon wrote:
> I can't seem to grasp why this is working differently.
> FreeBSD 6.2 using ipfw + if_bridge
>
> LAN -- em1(if_bridge + ipfw)em0 -- internet
>
> I am at xx.xx.16.6 and try to ping say www.yahoo.com
>
> in ruleset:
> 1100 allow icmp from any to xx.xx.16.0/27{1-10,13,14,19,22,23} icmptypes
0,3,11,12,13,14
> 2100 allow ip from xx.xx.16.0/27 to any in via em1
>Seeing noone more knowledgeable has had a go, and with the caveat that
Thank you.
>I've never setup an if_bridge(4) but still maintain a bridge(4)+ipfw ..
>Rule 2100 lets your ping in, and 1100 allows the response (in and out)
> gets dropped by following rule as shown in logs:
>
> 4700 deny log ip from any to any
>
> Log entry: ipfw: 4700 Deny ICMP:8.0 xx.xx.16.6 69.147.114.210 out via em0
>Denied because you have no rule letting it go out, it seems.
It's the "out via em0" that I am questioning, which I believe
shouldn't be happening.
It seems that ipfw+if_bridge works differently with ICMP than ipfw_bridge(4).
Rule 2100 should allow the packet through(I read the rule as:"it is ok
since it came in em1").
Other rules just like this(in via em1) work with tcp and udp.
example :
allow tcp from xx.xx.16.0/27 to any in via em1 setup keep-state
if the packet came from xx.xx.16.0/27 network and came "in" the
em1 interface,
than pass the packet.
It just seems the ICMP gets dropped,
which, I am assuming, rule 2100 should have allowed through the firewall.
> If I add this rule all works great:
>
> 2101 allow icmp from xx.xx.16.0/27 to any recv em1
>Which allows it both in and out (neither specified)
This should allow the packet because it came through the receiving interface on
interface em1.
This is really my questioning: Why is it that "in via em1" doesn't
work on ICMP but changing or adding
a similar rule with "recv em1" will pass the ICMP.
allow ip from 157.91.16.0/27 to any in via em1 > legit
"passing_thru" ICMP gets dropped with if_bridge but not with bridge(4)
allow ip from 157.91.16.0/27 to any recv em1 > passes the
"passing_thru" ICMP using if_bridge
> Why would the "recv em1" work and the "in via em1" get
blocked?
>
> I just changed from using bridge(4) to if_bridge using the same ruleset.
>Only inbound bridged packets are passed to ipfw from bridge(4) .. once
>allowed in, they go out. My reading of if_bridge(4) suggests that ipfw
>(etc) may also be examining outbound bridged packets, depending on the
>sysctls. How have you got the sysctls mentioned in if_bridge(4) set?
my sysctl.conf variables:
net.link.bridge.ipfw=1
net.link.bridge.pfil_member=1
net.link.bridge.pfil_onlyip=1
net.link.bridge.pfil_bridge=0
net.link.bridge.ipfw_arp=1
> The rest of my ruleset seems to be working fine but this problem is
causing me a little paranoia
> about the effectiveness of the firewall.
>
> Also, should I still be seeing "deny (snip) in via bridge0"
messages in by logs
> if I have this set "net.link.bridge.pfil_bridge: 0"?
Thanks again,
Dave
____________________________________________________________________________________
Looking for a deal? Find great prices on flights and hotels with Yahoo!
FareChase.
http://farechase.yahoo.com/