Date: Fri, 15 Oct 2004 23:35:51 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Sergey Lyubka <ioannvelikiy@yahoo.com> Subject: Re: rdr + bridge Message-ID: <200410152335.59316.max@love2party.net> In-Reply-To: <20041015162538.60753.qmail@web13606.mail.yahoo.com> References: <20041015162538.60753.qmail@web13606.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1460632.WhSUmhIcN7 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Unfortunately FreeBSD's bridge code is far from optimal. It lacks a lot of= =20 functionality when compared to Net/OpenBSD's if_bridge. At the moment this= =20 constrains pf to a very limited subset of possible functionalities. There h= as=20 been an effort to port over if_bridge, but that died for some reason. In order to fix your specific problem you might want to try to add a "route= =2Dto=20 (lo0 127.0.0.1)"-rule for the redirected traffic but I can't confirm that=20 this will really help. All in all, I have to admit that pf gives a rather poor performance with th= e=20 =46reeBSD bridge code. On Friday 15 October 2004 18:25, Sergey Lyubka wrote: > I am trying to setup transparent proxy. > The box has two interfaces, > em0 (0.0.0.0, outside interface) > em1 (10.0.0.3, inside interface) > > pf and bridge are running on the box. > Proxy is running on the box, listening on 127.0.0.1:8080 > This is the pf.conf: > ------------------ > int_if=3D"em1" > ext_if=3D"em0" > rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port > 8080 > pass in > pass out > ------------------- > > But, when I am trying to access any site from the inside, > I see packets emitted by em0, which have destination address > 127.0.0.1:8080 > > Proxy does not receive anything. > > nfa# sysctl -a | grep bridge > net.link.ether.bridge_cfg: em0,em1 > net.link.ether.bridge_ipfw: 1 > net.link.ether.bridge_ipf: 1 > net.link.ether.bridge.config: em0,em1 > net.link.ether.bridge.enable: 1 > net.link.ether.bridge.predict: 45 > net.link.ether.bridge.dropped: 0 > net.link.ether.bridge.packets: 80 > net.link.ether.bridge.ipfw_collisions: 0 > net.link.ether.bridge.ipfw_drop: 0 > net.link.ether.bridge.copy: 0 > net.link.ether.bridge.ipfw: 1 > net.link.ether.bridge.ipf: 1 > net.link.ether.bridge.debug: 0 > net.link.ether.bridge.version: 031224 > > nfa# uname -a > FreeBSD nfa 5.3-BETA7 FreeBSD 5.3-BETA7 #20: Fri Oct 15 15:41:14 UTC > 2004 root@valenok.netfort-iss.com:/usr/obj/usr/src/sys/MANAGER > i386 > > Any ideas ? > > > > _______________________________ > Do you Yahoo!? > Declare Yourself - Register online to vote today! > http://vote.yahoo.com > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1460632.WhSUmhIcN7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBcEK/XyyEoT62BG0RAql4AJ0c2q7J1PzW+e5n9Ieiol7dW+tjdwCdGIO4 YlDm0V062nS3Ws97F4SM1R0= =/3vb -----END PGP SIGNATURE----- --nextPart1460632.WhSUmhIcN7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410152335.59316.max>