On Mon, Jul 8, 2019 at 11:22 AM Eugene Grosbein <eu...@grosbein.net> wrote:
> 09.07.2019 0:43, Michael Sierchio wrote: > > > On Mon, Jul 8, 2019 at 10:33 AM Eugene Grosbein <eu...@grosbein.net> > wrote: > > > > 09.07.2019 0:19, Dan Lists wrote: > >> > >>> On Mon, Jul 8, 2019 at 11:55 AM Michael Sierchio <ku...@tenebras.com> > >> wrote: > >>> > >>>> What's your firewall ruleset look like? (show, don't tell) > >>> The firewall is off for testing (the machine is only on a private > >> network). > >>> # ipfw list > >>> 65535 allow ip from any to any > >>>> What does sysctl report on the interfaces and on arp? > >>> I have not changed any settings. > >> > >> Show output of ifconfig for the bridge and for its members, too. > >> I suppose some misconfiguration like IP address assigned to member > >> interfaces that is wrong. > >> All IP addresses need to be moved to the bridge interface itself. > >> > >> > > Does 'ip' in ipfw match arp packets? > > We have net.link.bridge.ipfw_arp that defaults to 0 (false): > > $ sysctl -d net.link.bridge.ipfw_arp > net.link.bridge.ipfw_arp: Filter ARP packets through IPFW layer2 > > If one changes it to 1 so ipfw would get bridged ARP frames, > then answer to your question should depend on value of net.link.ether.ipfw > (0 by default) > as ARP packets have no IP header. So if you change so many sysctls, you > will be able > to filter ARP frames with "ip" keyword as "ip" equals to "all" in ipfw. > > Right, thanks, and Dan's sysctl output has net.link.bridge.ipfw_arp: 0 -- "Well," Brahmā said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred." - The Mahābhārata _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
