Bridging Broken in 1.2?
csw at k12hq.com
Mon Apr 18 13:21:08 PDT 2005
On 04/16/2005-03:18PM, Danial Thom wrote:
> Is there a chance that bridging is broken in 1.2?
Does DFly use ipfw1 or ipfw2? If its ipfw2
Handling of non-IPv4 packets
ipfw1 will silently accept all non-IPv4 packets (which ipfw1 will
only see when net.link.ether.bridge_ipfw=1). ipfw2 will filter
all packets (including non-IPv4 ones) according to the ruleset.
To achieve the same behaviour as ipfw1 you can use the following
as the very first rule in your ruleset:
ipfw add 1 allow layer2 not mac-type ip
The layer2 option might seem redundant, but it is necessary --
packets passed to the firewall from layer3 will not have a MAC
header, so the mac-type ip pattern will always fail on them, and
the not operator will make this rule into a pass-all.
This is from man ipfw on a 5.3 box.
More information about the Users