Curiosity in IPFW/Freebsd bridge.
From: Andrew Seguin (asegu_at_borgtech.ca)
Date: 12/16/04
- Previous message: Mitch (Bitblock): "RE: Load Balancing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <freebsd-net@freebsd.org> Date: Thu, 16 Dec 2004 23:51:00 +0100
Hello, First off, a great thanks to this list who pointed out my hardware
issue (rl series cards). I now have the bridge on two Intel Pro NICS and I
use the on-board sis card for console access, and my average ping time is a
2ms average to the router, passing about a solid 2MB/s.
My current situation is that it seems IPFW is filtering by IP address, but
never matching an IP address/Port number combo (ex: “deny ip from IP to any”
works, but “deny ip from IP to any 80” does not work).
The firewall rules are as follows:
#1. Allow all SSH traffic until rules are down safe.
ipfw add 1 allow ip from any to LOCAL_IP 22
#ipfw add 100 TEST (either “deny ip from any to any” or “deny ip from any to
any 80”).
ipfw add 500 pipe 1 ip from any to any
ipfw pipe 1 config bw 20480Kbit/s
default> allow ip from any to any
The setup is as follows in rc.conf:
Ifconfig_fxp0=”up”
Ifconfig_fxp1=”up”
Ifconfig_sis0=”LOCAL_IP…”
And in sysctl.conf:
net.link.ether.bridge.enable=1
net.link.ether.bridge.config=fxp0,fxp1
net.link.ether.bridge.ipfw=1
Kernel has been built with IPFW and DUMMYNET. Freebsd 5.3 (RELENG_5,
cvsupdated and recompiled about a week ago).
The server was working fine when I had it filtering between two switches
(secondary to primary). I was having web/email/irc traffic bypass the pipe,
and used the pipe to limit the speed of those who use P2P. Now, I have this
situation with the firewall between the main switch and the router.
I really need to get this working for this purpose again fast or else I’ll
have a repeat of an earlier “internal” DoS, so any and all tips, comments,
pointers would be greatly appreciated!
I wonder if it is because I haven’t assigned an IP address on the fxp facing
the inside network…? Haven’t had the time to try this yet (11:50pm local
time!) since I don’t remember which fxp card is facing internal/external and
so I will try in the morning.
Again, many thanks!
Andrew Seguin
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004 _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Mitch (Bitblock): "RE: Load Balancing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
