[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bridge and IPF

To: Matthew Patton <matthew.patton@netsec.net>,openbsd <misc@openbsd.org>
Subject: Re: Bridge and IPF
From: awc <awc@dryden.lakeheadu.ca>
Date: Tue, 14 Sep 1999 19:54:13 -0500
References: <37DDD64B.B1B6ECF@dryden.lakeheadu.ca> <37DEADBE.9D817E3@netsec.net>

I use 2.5 with latest (two weeks ago) cvs update on kernel, ipf, ipftest,
ipfstat, ipnat, ipmon.

Yes I missed the -E flag. But with out -E flag, I did
I don't really recall the syntax. Any way same idea.

1.     pass in all -
        pass out all
       on ipf.rules. Then ipf -Fa -f ipf.rules.
I tried to ping m/c out side the bridge from inside the bridge. It works.

2.         Then block in all
             block out all
             ipf -Fa -f ipf.rules
Ping does not work.

3. Empty ipf.rules
ipf -Fa -f ipf.rules
I could ping.

I will try all the combination with -E flag tomorrow.

Thank you

awc

Matthew Patton wrote:

> DEFAULT_BLOCK means that if the packet exits the ruleset without
> matching on anything it will get dropped. So therefore your firewall
> SHOULD be dropping packets.
>
> What bit me with the 2.5 upgrade was the need for the "-E" flag to be
> specified which didn't used to be the case. I'm assuming you didn't miss
> that little bit.
>
> But it could very well be that somehow in the recent source upgrades the
> DEFAULT_BLOCK option got nuked by mistake. I'll have to see what
> happened. BTW what version are you running?

References:
- Bridge and IPF
  - From: awc <awc@dryden.lakeheadu.ca>

Prev by Date: Building from CVS
Next by Date: networking
Prev by thread: Bridge and IPF
Next by thread: sysctl
Index(es):
- Date
- Thread