IPFW2 layer2 support broken.

Gary Allan dragonfly at gallan.plus.com
Sat Jan 8 12:04:49 PST 2005


IPFW2 appears to be broken with respect to filtering layer2 traffic. 
When active all incoming packets are dropped.

The logging shows incoming packets being accepted at layer2 but then not 
appearing at layer3. Locally generated outgoing packets are processed by 
IPFW2 at layer3 and layer2 and do successfully exit the router. (The 
resulting incoming traffic is then dropped.)

This is similar to the problem I am experiencing with certain TCP 
connections via divert sockets in that the packets vanish after being 
processed and accepted by IPFW2.

System Settings

[  Desktop   ] -------- [  DragonFly  ]
192.168.50.20            192.168.50.1
/etc/make.conf
  IPFW2= true
Kernel options
  options         IPFW2
  options         IPFIREWALL
  options         IPFIREWALL_DEFAULT_TO_ACCEPT
  options         IPFIREWALL_VERBOSE
  options         IPFIREWALL_VERBOSE_LIMIT=50
  options         RANDOM_IP_ID
sysctls
  net.inet.ip.fw.enable: 1
  net.inet.ip.fw.one_pass: 0
  net.inet.ip.fw.debug: 1
  net.inet.ip.fw.verbose: 1
  net.inet.ip.fw.verbose_limit: 50
  net.link.ether.ipfw=1
ipfw rules
  00100   4   240 allow log ip from any to any layer2
  00200   0     0 allow log ip from any to any
  65535   0     0 allow ip from any to any
logs

  itx kernel: ipfw: 100 Accept ICMP:8.0 192.168.50.20 192.168.50.1 in 
via vr0
  itx last message repeated 6 times

Regards

G.Allan





More information about the Bugs mailing list