https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254015
--- Comment #13 from shamaz.ma...@gmail.com --- Can you reproduce by it yourself by adding net.link.ether.ipfw = 0 to /etc/sysctl.conf and writing firewall rules like these: #!/bin/sh IPFW="/sbin/ipfw -q" IFACE="wg0" PUB_IFACE="re1" SKIP_IP="skipto 20000" SKIP_ETHER="skipto 30000" # Ports list: SSH="22" TELNET="23" SMTP="25" WHOIS="43" WWW="80" HTTPS="443" POP3="110" SSMTP="465" POP3S="995" GIT="9418" FTPC="21" FTPD="20" IRC="6660-7000" NTP="123" OPENPORTS="$WWW,$HTTPS" OPENPORTS="$OPENPORTS,$SSH,$WHOIS,$GIT" GOODMACS="cc:af:78:58:73:a2 60:45:cb:64:2a:65 3c:7c:3f:3c:52:5b" GOODMACS_TAG="100" SUBNET="192.168.20.0/24" LOCALIFACES="re0 wlan0 bridge0 lo0 tap0" $IPFW -f flush $IPFW -f nat flush # Start NAT $IPFW nat 1 config if $IFACE log same_ports reset # Deny fragmented packets $IPFW add reass ip from any to any frag in #$IPFW add $SKIP_ETHER ip from any to any layer2 $IPFW add check-state :before-nat # Drop connections to LAN from untrusted macs #$IPFW add allow ip from any to any tagged $GOODMACS_TAG via bridge0 # Allow DHCP #$IPFW add allow udp from any 68 to me dst-port 67 in via bridge0 keep-state :before-nat # And ICMP #$IPFW add allow icmp from any to any via bridge0 # Drop everything else #$IPFW add deny ip from any to $SUBNET in via bridge0 # Enable LAN traffic for lan_iface in $LOCALIFACES; do $IPFW add allow ip from any to any via $lan_iface done # Public iface setup # Wireguard $IPFW add allow udp from me to 185.213.155.130 dst-port 51820 out via $PUB_IFACE keep-state :before-nat # OpenVPN #$IPFW add allow udp from me to any dst-port 1197 out via $PUB_IFACE keep-state :before-nat $IPFW add allow icmp from any to any via $PUB_IFACE $IPFW add deny ip from any to any via $PUB_IFACE $IPFW add nat 1 ip from any to any in via $IFACE $IPFW add check-state :after-nat # Allow DNS for this machine $IPFW add $SKIP_IP tcp from me to any 53 out via $IFACE setup keep-state :after-nat $IPFW add $SKIP_IP udp from me to any 53 out via $IFACE keep-state :after-nat # All common open ports $IPFW add $SKIP_IP tcp from me to any $OPENPORTS out \ via $IFACE setup keep-state :after-nat # DHCP $IPFW add $SKIP_IP udp from any 68 to any dst-port 67 out via $IFACE keep-state :after-nat # NTP $IPFW add $SKIP_IP udp from me to any $NTP out via $IFACE keep-state :after-nat # Allow ICMP $IPFW add $SKIP_IP icmp from any to any via $IFACE $IPFW add deny all from me to any out via $IFACE $IPFW add deny all from any to me in via $IFACE $IPFW add 20000 nat 1 ip from any to any out via $IFACE $IPFW add allow ip from any to any via $IFACE $IPFW add deny ip from any to any # Ethernet-layer processing $IPFW add 30000 allow ip from any to any mac-type arp for mac in $GOODMACS; do $IPFW add allow tag $GOODMACS_TAG ip from any to any mac any $mac in $IPFW add allow tag $GOODMACS_TAG ip from any to any mac $mac any out done $IPFW add allow ip from any to any You can drop all rules about VPN, home VLAN, etc. Just leave layer2 filtering. -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"