[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bridge problem



Hello, 
I have a problem with bridge & outgoing traffic.

Exactly, I can't get ipfw controlling my outgoing traffic from
box acting as a router.
eg.

My external net: 219.122.12.144/28
FreeBSD box router IP: 219.122.12.146 (see ifconfig below)

Rules:
---
ipfw add 100 allow ip from not 219.122.12.144/28 to me in 
(the above one works fine). I am able to control incoming traffic.

ipfw add 101 allow ip from me to any out
(ipfw is ignoring this rule.. no traffic is controlled by this one)

ipfw add 102 allow ip from 219.122.12.144/28 to not 219.122.12.144/28 out
(failed, ipfw is ignoring this rule too.. By this rule I meant to 
controll traffic from bridged LAN users to Internet)

I found out that I can achieve the same by:
ipfw add 102 allow ip from 219.122.12.144/28 to not 219.122.12.144/28 in via bge0
(It works, so now I controll incoming traffic from users via bge0).

other rules go here ...

The rules are in order as I wrote above.
rule # 100 is the first rule ..(excluding lo ones)

That's ok, but what If I want to control the outgoing traffic from (eg. Web Service)
on 219.122.12.146 ?

T
My settings are as follows:

OS:
---
FreeBSD box.foo.com 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #1:

Sysctls:
---
net.inet.ip.fw.one_pass: 1

net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0
net.link.ether.ipfw: 1

net.link.ether.bridge_cfg: bge0:1,ed0:1
net.link.ether.bridge: 1
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipf: 0
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0

Kernel options:
---
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=200
options         IPDIVERT
options         DUMMYNET
options         HZ=1000
options         IPFIREWALL_DEFAULT_TO_ACCEPT


ed0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet6 ff80::2d1:23ff:feef:3ad1%ed0 prefixlen 64 scopeid 0x1
        inet 219.122.12.146 netmask 0xfffffff0 broadcast 219.122.12.159
        inet 219.122.12.149 netmask 0xffffffff broadcast 219.122.12.149
        ether 00:c0:26:ef:3a:d4
bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet6 fe80::20c:6eff:fe0f:7a6b%bge0 prefixlen 64 scopeid 0x2
        ether 00:0c:6e:0f:7a:6b
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

Thank you for help!

Best Regards,
Jarek

Visit your host, monkey.org