From owner-freebsd-ipfw@freebsd.org Sun Dec 20 06:36:38 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F2BFA4D2B2 for ; Sun, 20 Dec 2015 06:36:38 +0000 (UTC) (envelope-from graham@menhennitt.com.au) Received: from homiemail-a80.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) by mx1.freebsd.org (Postfix) with ESMTP id EECC013A1 for ; Sun, 20 Dec 2015 06:36:37 +0000 (UTC) (envelope-from graham@menhennitt.com.au) Received: from homiemail-a80.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a80.g.dreamhost.com (Postfix) with ESMTP id CA9CA37A06B for ; Sat, 19 Dec 2015 22:36:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=menhennitt.com.au; h= subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type; s=menhennitt.com.au; bh=BF4jiGVUMgIze 4FotPvDddOZnVU=; b=TFPTIPBbSpBnF0v9IEXrufCj7AWgfaLdpmi9cnQ8CWJBu 7lHgmcUEPtSNPQ3u56dd8i1VjbIeKrmhkeRwfx+K+WoUDtx5AHvrTGa+nbUcES+N VjQ5SDJdCtuFUW1E/ZIHc1go9ScIF9+EHkKZie4H3DxSgVroS7gVEh5bPwEiuo= Received: from [203.2.73.68] (c122-107-214-88.mckinn3.vic.optusnet.com.au [122.107.214.88]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: graham@menhennitt.com.au) by homiemail-a80.g.dreamhost.com (Postfix) with ESMTPSA id 053F337A065 for ; Sat, 19 Dec 2015 22:36:30 -0800 (PST) Subject: Re: connecting a PS4 via IPFW [solved] To: freebsd-ipfw@freebsd.org References: <5655405C.1060301@menhennitt.com.au> From: Graham Menhennitt X-Enigmail-Draft-Status: N1110 Message-ID: <56764C6C.5060606@menhennitt.com.au> Date: Sun, 20 Dec 2015 17:36:28 +1100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5655405C.1060301@menhennitt.com.au> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Dec 2015 06:36:38 -0000 On 25/11/2015 16:00, Graham Menhennitt wrote: > Hello IPFWers, > > I have a box running FreeBSD 10-stable that I use as a > router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging > me about playing multi-player online games on his Sony PS4. > > From what I've read, I could enable UPnP. But I've tried compiling the > net/miniupnpd port but it won't build for IPFW (and I don't want to > convert to PF). > > Giving up on that, I'm now trying to enable port forwarding - > apparently, this will fix it. I've allocated the PS4 a static IP address > on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480, > and UDP ports 3478-3479. I've tried the following command: > > ipfw nat 1 config \ > redirect_port tcp ${PS4_LAN_ADDRESS}:1935 80 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:1935 443 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \ > redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \ > redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479 > > but that completely kills my Internet connection for all other uses (and > the PS4 still doesn't work!). > After Thomas' hint and lots of help from Ian, I now have a working setup. And I believe it's considerably more secure than before. It's basically a modified version of "Simple" from /etc/rc.firewall. Many thanks to both Thomas and Ian. Graham /etc/rc.conf: firewall_enable="YES" firewall_flags="-p m4 -DOUTSIDE_IF=re1 -DLAN_IF=re0 -DLAN_NET=192.168.0.0/25 -DWIFI_IF=re2 -DWIFI_NET=192.168.0.128/26 -DVPN_IF=tap0 -DVPN_NET=192.168.0.192/26 -DPS4_ADDR=192.168.0.235 -DIPV6_IF=gif0" firewall_type="/etc/ipfw.rules" /etc/ipfw.rules: # stop spoofing add deny all from LAN_NET to any in via OUTSIDE_IF add deny all from WIFI_NET to any in via OUTSIDE_IF # allow anything on the LAN add allow all from any to any via LAN_IF # and from the VPN add allow all from any to any via VPN_IF # allow anything from the wireless network to the outside world (but not to the LAN) add allow ip from any to not LAN_NET via WIFI_IF # create a table of addresses to block table 1 flush # add RFC1918 nets table 1 add 10.0.0.0/8 table 1 add 172.16.0.0/12 table 1 add 192.168.0.0/16 # and draft-manning-dsua-03.txt nets table 1 add 0.0.0.0/8 table 1 add 169.254.0.0/16 table 1 add 192.0.2.0/24 table 1 add 224.0.0.0/4 table 1 add 240.0.0.0/4 # stop entries in the table coming in on the outside interface add deny all from table(1) to any in recv OUTSIDE_IF # similarly for IPv6 table 2 flush # Stop unique local unicast address on the outside interface table 2 add fc00::/7 # Stop site-local on the outside interface table 2 add fec0::/10 # Disallow "internal" addresses to appear on the wire. table 2 add ::ffff:0.0.0.0/96 # Disallow packets to malicious IPv4 compatible prefix. #table 2 add ::224.0.0.0/100 gives error "Use IPv4 instead of v4-compatible" #table 2 add ::127.0.0.0/104 ditto table 2 add ::0.0.0.0/104 #table 2 add ::255.0.0.0/104 ditto # table 2 add ::0.0.0.0/96 # Disallow packets to malicious 6to4 prefix. table 2 add 2002:e000::/20 table 2 add 2002:7f00::/24 table 2 add 2002:0000::/24 table 2 add 2002:ff00::/24 # table 2 add 2002:0a00::/24 table 2 add 2002:ac10::/28 table 2 add 2002:c0a8::/32 # table 2 add ff05::/16 # block these addresses both incoming and outgoing add deny all from table(2) to any via IPV6_IF add deny all from any to table(2) via IPV6_IF # allow setup of incoming SSH, IMAPS, and OpenVPN add allow tcp from any to me ssh setup add allow tcp from any to me6 ssh setup add allow tcp from any to me imaps setup add allow tcp from any to me6 imaps setup add allow tcp from any to me openvpn setup add allow tcp from any to me6 openvpn setup add allow udp from any to me openvpn # allow IPP, IMAPS, and SMTP from wireless add allow ip from any to LAN_NET dst-port printer setup via WIFI_IF add allow ip from any to me dst-port ipp setup via WIFI_IF add allow ip from any to me dst-port smtp setup via WIFI_IF add allow ip from any to me dst-port imaps setup via WIFI_IF # allow some ICMP types but nothing else add allow icmp from any to any icmptypes 0,3,8,11 add deny icmp from any to any #add allow ipv6 from any to any # NAT # redirect ports to PS4 nat 1 config if OUTSIDE_IF same_ports redirect_port tcp PS4_ADDR:1935 1935 redirect_port tcp PS4_ADDR:3478 3478 redirect_port tcp PS4_ADDR:3479 3479 redirect_port tcp PS4_ADDR:3480 3480 redirect_port udp PS4_ADDR:3478 3478 redirect_port udp PS4_ADDR:3479 3479 add nat 1 ip4 from any to any via OUTSIDE_IF # and block the above table again outbound add deny all from table(1) to any out xmit OUTSIDE_IF # allow TCP through if setup succeeded add pass tcp from any to any established # allow IP fragments to pass through add pass all from any to any frag # allow TCP ports needed for PS4 add allow tcp from any to PS4_ADDR 1935 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3478 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3479 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3480 in via OUTSIDE_IF setup add allow udp from any to PS4_ADDR 3478 in via OUTSIDE_IF add allow udp from any to PS4_ADDR 3479 in via OUTSIDE_IF # allow DNS & NTP queries out to the world (and their replies back in) add allow udp from me to any 53 keep-state add allow udp from me to any 123 keep-state # but no other UDP in from outside add deny udp from any to any in via OUTSIDE_IF # and allow any other UDP add allow udp from any to any # reject all setup of incoming connections from the outside add deny tcp from any to any in via OUTSIDE_IF setup # reject all setup of incoming connections from the IPV6 tunnel add deny tcp from any to any in via gif0 setup # reject all setup of incoming connections from the wireless add deny tcp from any to any in via WIFI_IF setup # allow setup of any other TCP connection add pass tcp from any to any setup # Everything else is denied by default, unless the IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel config file. From owner-freebsd-ipfw@freebsd.org Mon Dec 21 02:20:53 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9044BA4E731 for ; Mon, 21 Dec 2015 02:20:53 +0000 (UTC) (envelope-from ganbold@gmail.com) Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6019C1635 for ; Mon, 21 Dec 2015 02:20:53 +0000 (UTC) (envelope-from ganbold@gmail.com) Received: by mail-ob0-x234.google.com with SMTP id ba1so22407284obb.3 for ; Sun, 20 Dec 2015 18:20:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=AzvxtLkbdR5ZwAkXbeRxV0LEzfI4eZw5mYUyx0XwWvU=; b=rqgEVczYijMM1OZNGpMOOGGUhVJQMQ8Ap8yTkEhddV8uaQMEg2xKz/ehFg7AEdffSw U5MmgnnNp2Y9/liYu+DHVNz+m3WPXlPxPadTXqQN60PvYl4qCwIEyrRRu7f1+TNPJ03r eco1PZ9ov12aPmJGyp1VFXhP0tZRh0TeCrmoBBG81Um57YJCpzGNDkQJGgfOp2Y+9Z7F lqyxLjuPjuPUjjVrSByMW/Em6FnO87SH5EmQrVukZ72IvBbR80bG2w4MohoHatF9xviD Lrv0EunRRotFcrznGfKrkKQbo+KYptCokTS2t4Snh7Z1PIJ0xuHLSJDtfczmpkGaGD2s YoqA== MIME-Version: 1.0 X-Received: by 10.182.92.165 with SMTP id cn5mr6125138obb.8.1450664452335; Sun, 20 Dec 2015 18:20:52 -0800 (PST) Received: by 10.182.169.34 with HTTP; Sun, 20 Dec 2015 18:20:52 -0800 (PST) Date: Mon, 21 Dec 2015 10:20:52 +0800 Message-ID: Subject: layer2 ipfw fwd From: Ganbold Tsagaankhuu To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2015 02:20:53 -0000 Hi, Does ipfw support layer2 fwd to support transparent proxying on bridge? Does similar change like https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html ever get committed? thanks a lot, Ganbold From owner-freebsd-ipfw@freebsd.org Mon Dec 21 06:02:35 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8033EA4ED30 for ; Mon, 21 Dec 2015 06:02:35 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5EBAE1F52 for ; Mon, 21 Dec 2015 06:02:35 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-234-233.lns20.per1.internode.on.net [121.45.234.233]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tBL62Ur4019569 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 20 Dec 2015 22:02:33 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: layer2 ipfw fwd To: Ganbold Tsagaankhuu , freebsd-ipfw@freebsd.org References: From: Julian Elischer Message-ID: <567795F1.5080605@freebsd.org> Date: Mon, 21 Dec 2015 14:02:25 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2015 06:02:35 -0000 On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: > Hi, > > Does ipfw support layer2 fwd to support transparent proxying on bridge? > > Does similar change like > https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html > ever get committed? I don't believe this was applied.. I did similar when I worked for Ironport/Cisco. But it's a trade-off between bloat and usefulness. > > thanks a lot, > > Ganbold > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Mon Dec 21 09:47:37 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61946A14EE8 for ; Mon, 21 Dec 2015 09:47:37 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vk0-x236.google.com (mail-vk0-x236.google.com [IPv6:2607:f8b0:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 22D9C1C3D; Mon, 21 Dec 2015 09:47:37 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: by mail-vk0-x236.google.com with SMTP id f2so58971605vkb.3; Mon, 21 Dec 2015 01:47:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zQCBSaMj1gE1VyYmIYqU2mN9dErrobVh+AHhS8artoU=; b=oU568Gdd7zjPw/DTEgg0DWRLvsZD0WnoChgjfj2VBpiBc6W+42RV+lKN9q6FF4jkOY JMJYrGdVGOjXxwMylOxRPbl1qFqi5CXxx97Vj3VYH4VaPyD1VSmYcHbGOX2NOijcd/on JWGAa3z/Lw7Iq2Wp7o9wtP5sSFR6BWSptSayvrCdW1Kt6EdQ6vPtogSJx6gKFTxfeuU1 XHfeii/74qph4etlqe7/vRnb+LyzS5BdngcrTIPzEAxntBQ/Qneg8K3MRSSi6EN4jO82 IAZS6wYZPo1AcLIKBKetfmp/lVnd6N4pj5dRwAXG9ion+yC//nlsEqOSbGrMMKzkApiK 8Dcw== MIME-Version: 1.0 X-Received: by 10.31.54.134 with SMTP id d128mr10854611vka.26.1450691256006; Mon, 21 Dec 2015 01:47:36 -0800 (PST) Received: by 10.103.21.5 with HTTP; Mon, 21 Dec 2015 01:47:35 -0800 (PST) In-Reply-To: <567795F1.5080605@freebsd.org> References: <567795F1.5080605@freebsd.org> Date: Mon, 21 Dec 2015 17:47:35 +0800 Message-ID: Subject: Re: layer2 ipfw fwd From: bycn82 To: Julian Elischer Cc: Ganbold Tsagaankhuu , "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2015 09:47:37 -0000 why fwd based on MAC? Can share more info of your requirement? On Monday, 21 December 2015, Julian Elischer wrote: > On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: > >> Hi, >> >> Does ipfw support layer2 fwd to support transparent proxying on bridge? >> >> Does similar change like >> >> https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >> ever get committed? >> > I don't believe this was applied.. > I did similar when I worked for Ironport/Cisco. > But it's a trade-off between bloat and usefulness. > > >> thanks a lot, >> >> Ganbold >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Mon Dec 21 14:40:39 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41549A4E215 for ; Mon, 21 Dec 2015 14:40:39 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 26C0D1D1B for ; Mon, 21 Dec 2015 14:40:38 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-234-233.lns20.per1.internode.on.net [121.45.234.233]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tBLEeWcY021313 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 21 Dec 2015 06:40:35 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: layer2 ipfw fwd To: bycn82 References: <567795F1.5080605@freebsd.org> Cc: Ganbold Tsagaankhuu , "freebsd-ipfw@freebsd.org" From: Julian Elischer Message-ID: <56780F5A.5060209@freebsd.org> Date: Mon, 21 Dec 2015 22:40:26 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2015 14:40:39 -0000 On 21/12/2015 5:47 PM, bycn82 wrote: > why fwd based on MAC? Can share more info of your requirement? you still decide to FWD based on IP address, but you do it while the packet is still in the layer 2 bridge. let me give you a concrete example If I have a bridge between two networks. it is a transparent bridge, in other words nothing sees the bridge. However using layer 2 IPFW, I can block packets from side A from getting to side B. In addition I can redirect (using ipfw fwd and this patch) packets that are coming in, from side A to port 80 on side B, to a local proxy or http filter. Everything else just flows back and forth across the bridge. Using IP spoofing/forwarding the proxy filter will create a socket that pretends to be the side B destination and respond directly, even though it doesn't have that address. It may in turn open a socket to the original destination and forward the request, or, maybe it won't, depending on policy. But nothing else is aware of its existence. it is as though a segment of cable started filtering web content. This is EXACTLY what the cisco/ironport web filter appliance does... > > > On Monday, 21 December 2015, Julian Elischer > wrote: > > On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: > > Hi, > > Does ipfw support layer2 fwd to support transparent proxying > on bridge? > > Does similar change like > https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html > ever get committed? > > I don't believe this was applied.. > I did similar when I worked for Ironport/Cisco. > But it's a trade-off between bloat and usefulness. > > > thanks a lot, > > Ganbold > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Tue Dec 22 14:57:55 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77229A4EC0E for ; Tue, 22 Dec 2015 14:57:55 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 36BAF1F3A; Tue, 22 Dec 2015 14:57:55 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: by mail-vk0-x22f.google.com with SMTP id a188so120308629vkc.0; Tue, 22 Dec 2015 06:57:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=O3yes/PBgWgIYZrpLWBFa/SqOpukn0+AQgx3oF7yJxc=; b=EnsO4VTwrnC5HGGHGlCz37Dp25bCica+rHXVpGKEUVxPRpuNndFCd1aR451mONrTlK PZI+EiYWY6FUpYLBW/mQj0zYzdF2+3+jDkT4tx0P0pT5kFWWUULhMeKvdwfLXmhDIbkk SrtVcMtmEznZihB/BHcqR/8Y2fAo7nFq8ObyllhGh2pFbFk7NCqwD4S/kYrE/LBmX8G2 8IBGUpCeg/TVjDjqaIkQZDWblXMYWSnCzQtGZ1O3C9t6JGKqdo3T21PW/ECv1KOVK1X3 3+yS8OGYDmHiSvwJqE4RCWHx1zY5HgdvTITDXsiWrPoadTfiHC6CP/YjP/k+a+WNxeUl TNmw== MIME-Version: 1.0 X-Received: by 10.31.146.66 with SMTP id u63mr14432164vkd.31.1450796273934; Tue, 22 Dec 2015 06:57:53 -0800 (PST) Received: by 10.103.21.5 with HTTP; Tue, 22 Dec 2015 06:57:53 -0800 (PST) In-Reply-To: <56780F5A.5060209@freebsd.org> References: <567795F1.5080605@freebsd.org> <56780F5A.5060209@freebsd.org> Date: Tue, 22 Dec 2015 22:57:53 +0800 Message-ID: Subject: Re: layer2 ipfw fwd From: bycn82 To: Julian Elischer Cc: Ganbold Tsagaankhuu , "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2015 14:57:55 -0000 Hi Julian, Thanks for the explanation. Since it is on layer2, that means we can differentiate traffic by MAC or other layer2 filters only. e.g , forward the traffic when the type is 0x800 and destination MAC is xx:yy:zz.... I meant the accuracy is a big concern. Regards, Bill Yuan On 21 December 2015 at 22:40, Julian Elischer wrote: > On 21/12/2015 5:47 PM, bycn82 wrote: > > why fwd based on MAC? Can share more info of your requirement? > > > you still decide to FWD based on IP address, but you do it while the > packet is still in the layer 2 bridge. > > let me give you a concrete example > > If I have a bridge between two networks. it is a transparent bridge, in > other words nothing sees the bridge. > However using layer 2 IPFW, I can block packets from side A from getting > to side B. > In addition I can redirect (using ipfw fwd and this patch) packets that > are coming in, from side A to port 80 on side B, to a local proxy or http > filter. > Everything else just flows back and forth across the bridge. > Using IP spoofing/forwarding the proxy filter will create a socket that > pretends to be the side B destination and respond directly, even though it > doesn't have that address. It may in turn open a socket to the original > destination and forward the request, or, maybe it won't, depending on > policy. > But nothing else is aware of its existence. it is as though a segment of > cable started filtering web content. > > This is EXACTLY what the cisco/ironport web filter appliance does... > > > > > On Monday, 21 December 2015, Julian Elischer < > julian@freebsd.org> wrote: > >> On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: >> >>> Hi, >>> >>> Does ipfw support layer2 fwd to support transparent proxying on bridge? >>> >>> Does similar change like >>> >>> https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >>> ever get committed? >>> >> I don't believe this was applied.. >> I did similar when I worked for Ironport/Cisco. >> But it's a trade-off between bloat and usefulness. >> >> >>> thanks a lot, >>> >>> Ganbold >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > From owner-freebsd-ipfw@freebsd.org Wed Dec 23 01:03:51 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E47AA4E854 for ; Wed, 23 Dec 2015 01:03:51 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 355D313AE for ; Wed, 23 Dec 2015 01:03:50 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-234-233.lns20.per1.internode.on.net [121.45.234.233]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tBN13dji028449 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 22 Dec 2015 17:03:42 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: layer2 ipfw fwd To: bycn82 References: <567795F1.5080605@freebsd.org> <56780F5A.5060209@freebsd.org> Cc: "freebsd-ipfw@freebsd.org" , Ganbold Tsagaankhuu From: Julian Elischer Message-ID: <5679F2E6.2090700@freebsd.org> Date: Wed, 23 Dec 2015 09:03:34 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2015 01:03:51 -0000 On 22/12/2015 10:57 PM, bycn82 wrote: > Hi Julian, > > Thanks for the explanation. > > Since it is on layer2, that means we can differentiate traffic by MAC or > other layer2 filters only. > e.g , forward the traffic when the type is 0x800 and destination MAC is > xx:yy:zz.... > > I meant the accuracy is a big concern. since it is layer 2, it includes layer 3. IPFW knows how to access the layer 3 fields so layer 2 OR 3 may be used to filter. > > Regards, > Bill Yuan > > > On 21 December 2015 at 22:40, Julian Elischer wrote: > >> On 21/12/2015 5:47 PM, bycn82 wrote: >> >> why fwd based on MAC? Can share more info of your requirement? >> >> >> you still decide to FWD based on IP address, but you do it while the >> packet is still in the layer 2 bridge. >> >> let me give you a concrete example >> >> If I have a bridge between two networks. it is a transparent bridge, in >> other words nothing sees the bridge. >> However using layer 2 IPFW, I can block packets from side A from getting >> to side B. >> In addition I can redirect (using ipfw fwd and this patch) packets that >> are coming in, from side A to port 80 on side B, to a local proxy or http >> filter. >> Everything else just flows back and forth across the bridge. >> Using IP spoofing/forwarding the proxy filter will create a socket that >> pretends to be the side B destination and respond directly, even though it >> doesn't have that address. It may in turn open a socket to the original >> destination and forward the request, or, maybe it won't, depending on >> policy. >> But nothing else is aware of its existence. it is as though a segment of >> cable started filtering web content. >> >> This is EXACTLY what the cisco/ironport web filter appliance does... >> >> >> >> >> On Monday, 21 December 2015, Julian Elischer < >> julian@freebsd.org> wrote: >> >>> On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: >>> >>>> Hi, >>>> >>>> Does ipfw support layer2 fwd to support transparent proxying on bridge? >>>> >>>> Does similar change like >>>> >>>> https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >>>> ever get committed? >>>> >>> I don't believe this was applied.. >>> I did similar when I worked for Ironport/Cisco. >>> But it's a trade-off between bloat and usefulness. >>> >>> >>>> thanks a lot, >>>> >>>> Ganbold >>>> _______________________________________________ >>>> freebsd-ipfw@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>>> >>>> >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Wed Dec 23 02:08:06 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C71FEA4FDA0 for ; Wed, 23 Dec 2015 02:08:06 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 868D410FF; Wed, 23 Dec 2015 02:08:06 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: by mail-vk0-x229.google.com with SMTP id a188so128424594vkc.0; Tue, 22 Dec 2015 18:08:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qSzDrM41RfuUp8wXC7CCb9heAqqWaQcDICLiDFlIRZU=; b=yICvSp2Aa+KA49m7dqwEu41kSLzTqbfrQLAR6lI4GfuifrJvl63nLhwyfsiwwIDY3/ FOT2yoEjijK9aIkNbVWSxfGEWfgT6iqQFepPViItOVuFASbQyM7v/A370XqtTgJE27BU IX8Hv27At1N62VQUMKzw0MWT+9RyVMqiliT1QBws/DFwLvFcXvVizgbj/5crbiLfYgp6 z5n13Ph9jfqTrFdEoagihblLpCcum3k/wA3RWnHrWKa7W1o6zSrGYRkwBDgW1RsI9cq4 TqK2VR3RCcviemsLgkq0zjCAjXHet76ZF9Twk9tmm3Wz8f8R6Tt8fiMXyvEv/ejNTET9 /G7Q== MIME-Version: 1.0 X-Received: by 10.31.138.20 with SMTP id m20mr18271376vkd.70.1450836485480; Tue, 22 Dec 2015 18:08:05 -0800 (PST) Received: by 10.103.21.5 with HTTP; Tue, 22 Dec 2015 18:08:05 -0800 (PST) In-Reply-To: <5679F2E6.2090700@freebsd.org> References: <567795F1.5080605@freebsd.org> <56780F5A.5060209@freebsd.org> <5679F2E6.2090700@freebsd.org> Date: Wed, 23 Dec 2015 10:08:05 +0800 Message-ID: Subject: Re: layer2 ipfw fwd From: bycn82 To: Julian Elischer Cc: "freebsd-ipfw@freebsd.org" , Ganbold Tsagaankhuu Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2015 02:08:07 -0000 Interesting, that means in order to filter the layer2 traffic with layer3 filters. it will unpack the ether frame and get the packets. at least the packet header. so why ipfw doesnt support this? Ipfw3 will support this! On Wednesday, 23 December 2015, Julian Elischer wrote: > On 22/12/2015 10:57 PM, bycn82 wrote: > >> Hi Julian, >> >> Thanks for the explanation. >> >> Since it is on layer2, that means we can differentiate traffic by MAC or >> other layer2 filters only. >> e.g , forward the traffic when the type is 0x800 and destination MAC is >> xx:yy:zz.... >> >> I meant the accuracy is a big concern. >> > since it is layer 2, it includes layer 3. IPFW knows how to access the > layer 3 fields so layer 2 OR 3 may be used to filter. > > >> Regards, >> Bill Yuan >> >> >> On 21 December 2015 at 22:40, Julian Elischer wrote: >> >> On 21/12/2015 5:47 PM, bycn82 wrote: >>> >>> why fwd based on MAC? Can share more info of your requirement? >>> >>> >>> you still decide to FWD based on IP address, but you do it while the >>> packet is still in the layer 2 bridge. >>> >>> let me give you a concrete example >>> >>> If I have a bridge between two networks. it is a transparent bridge, in >>> other words nothing sees the bridge. >>> However using layer 2 IPFW, I can block packets from side A from getting >>> to side B. >>> In addition I can redirect (using ipfw fwd and this patch) packets that >>> are coming in, from side A to port 80 on side B, to a local proxy or http >>> filter. >>> Everything else just flows back and forth across the bridge. >>> Using IP spoofing/forwarding the proxy filter will create a socket that >>> pretends to be the side B destination and respond directly, even though >>> it >>> doesn't have that address. It may in turn open a socket to the original >>> destination and forward the request, or, maybe it won't, depending on >>> policy. >>> But nothing else is aware of its existence. it is as though a segment of >>> cable started filtering web content. >>> >>> This is EXACTLY what the cisco/ironport web filter appliance does... >>> >>> >>> >>> >>> On Monday, 21 December 2015, Julian Elischer < >>> julian@freebsd.org> wrote: >>> >>> On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: >>>> >>>> Hi, >>>>> >>>>> Does ipfw support layer2 fwd to support transparent proxying on bridge? >>>>> >>>>> Does similar change like >>>>> >>>>> >>>>> https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >>>>> ever get committed? >>>>> >>>>> I don't believe this was applied.. >>>> I did similar when I worked for Ironport/Cisco. >>>> But it's a trade-off between bloat and usefulness. >>>> >>>> >>>> thanks a lot, >>>>> >>>>> Ganbold >>>>> _______________________________________________ >>>>> freebsd-ipfw@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org >>>>> " >>>>> >>>>> >>>>> _______________________________________________ >>>> freebsd-ipfw@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>>> >>>> >>> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > From owner-freebsd-ipfw@freebsd.org Wed Dec 23 05:42:06 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9344A50790 for ; Wed, 23 Dec 2015 05:42:06 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E301C12F8; Wed, 23 Dec 2015 05:42:05 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id tBN5ftf3045806; Wed, 23 Dec 2015 16:41:55 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 23 Dec 2015 16:41:55 +1100 (EST) From: Ian Smith To: bycn82 cc: Julian Elischer , freebsd-ipfw@freebsd.org, Ganbold Tsagaankhuu Subject: Re: layer2 ipfw fwd In-Reply-To: Message-ID: <20151223155755.A8562@sola.nimnet.asn.au> References: <567795F1.5080605@freebsd.org> <56780F5A.5060209@freebsd.org> <5679F2E6.2090700@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2015 05:42:06 -0000 On Wed, 23 Dec 2015 10:08:05 +0800, bycn82 wrote: > Cc: "freebsd-ipfw@freebsd.org" , > Ganbold Tsagaankhuu > Subject: Re: layer2 ipfw fwd > > Interesting, that means in order to filter the layer2 traffic with layer3 > filters. it will unpack the ether frame and get the packets. at least the > packet header. That's already been done. As Julian points out, at layer 2 you can see and work with ether headers (MAC addresses) _as well as_ the IP headers. > so why ipfw doesnt support this? Ipfw3 will support this! I would suggest reading this older but quite comprehensive article that applies specifically to bridges - and it was written for the old bridge, before if_bridge(4) so there are some syntactic differences, but should help with understanding the concepts and methodology. http://www.freebsd.org/doc/en/articles/filtering-bridges/article.html As that mentions, with a bridge you only get to see packets on their way in; once accepted they aren't passed to the firewall again - see PACKET FLOW in ipfw(8). All of this is well covered by that article, which is what I used back C. 2003 to create a very effective filtering bridge for an internet cafe-like environment off a satellite+ISDN router. It also mentions that: "Another limitation is that you are restricted to use only pass or drop commands for packets filtered by a bridge. Sophisticated things like divert, forward or reject are not available. Such options can still be used, but only on traffic to or from the bridge machine itself (if it has an IP address)." Which is presumably what Luigi's patch addresses, re forward anyway. There's always more to do :-) and contributions are welcome I'm sure. cheers, Ian > On Wednesday, 23 December 2015, Julian Elischer wrote: > > > On 22/12/2015 10:57 PM, bycn82 wrote: > > > >> Hi Julian, > >> > >> Thanks for the explanation. > >> > >> Since it is on layer2, that means we can differentiate traffic by MAC or > >> other layer2 filters only. > >> e.g , forward the traffic when the type is 0x800 and destination MAC is > >> xx:yy:zz.... > >> > >> I meant the accuracy is a big concern. > >> > > since it is layer 2, it includes layer 3. IPFW knows how to access the > > layer 3 fields so layer 2 OR 3 may be used to filter. > > > > > >> Regards, > >> Bill Yuan > >> > >> > >> On 21 December 2015 at 22:40, Julian Elischer wrote: > >> > >> On 21/12/2015 5:47 PM, bycn82 wrote: > >>> > >>> why fwd based on MAC? Can share more info of your requirement? > >>> > >>> > >>> you still decide to FWD based on IP address, but you do it while the > >>> packet is still in the layer 2 bridge. > >>> > >>> let me give you a concrete example > >>> > >>> If I have a bridge between two networks. it is a transparent bridge, in > >>> other words nothing sees the bridge. > >>> However using layer 2 IPFW, I can block packets from side A from getting > >>> to side B. > >>> In addition I can redirect (using ipfw fwd and this patch) packets that > >>> are coming in, from side A to port 80 on side B, to a local proxy or http > >>> filter. > >>> Everything else just flows back and forth across the bridge. > >>> Using IP spoofing/forwarding the proxy filter will create a socket that > >>> pretends to be the side B destination and respond directly, even though > >>> it > >>> doesn't have that address. It may in turn open a socket to the original > >>> destination and forward the request, or, maybe it won't, depending on > >>> policy. > >>> But nothing else is aware of its existence. it is as though a segment of > >>> cable started filtering web content. > >>> > >>> This is EXACTLY what the cisco/ironport web filter appliance does... > >>> > >>> > >>> > >>> > >>> On Monday, 21 December 2015, Julian Elischer < > >>> julian@freebsd.org> wrote: > >>> > >>> On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: > >>>> > >>>> Hi, > >>>>> > >>>>> Does ipfw support layer2 fwd to support transparent proxying on bridge? > >>>>> > >>>>> Does similar change like > >>>>> > >>>>> > >>>>> https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html > >>>>> ever get committed? > >>>>> > >>>>> I don't believe this was applied.. > >>>> I did similar when I worked for Ironport/Cisco. > >>>> But it's a trade-off between bloat and usefulness. > >>>> > >>>> > >>>> thanks a lot, > >>>>> > >>>>> Ganbold From owner-freebsd-ipfw@freebsd.org Wed Dec 23 15:49:48 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B453A4FA38 for ; Wed, 23 Dec 2015 15:49:48 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 60DE91F39 for ; Wed, 23 Dec 2015 15:49:48 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 411FC20410 for ; Wed, 23 Dec 2015 10:49:47 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Wed, 23 Dec 2015 10:49:47 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=NIhcffTwG2ej+Ug DWqgSZhKEKDM=; b=SF4oYPY+IGOTS1pXK2Cph7lfgL3t+XXy9hDVIv5q3cxI0vf 7/jbNKfoxGVZxSeP9D28QsQz538tEpAQjwFC2pc1kkiFAA3pRl+PHz/OQva1Xrto WYXw6cI7gUNJd4gZGg26+Boej+D8yCUN9NgtJpbv/KvHNYrKcRQSKnrG7I5E= Received: by web3.nyi.internal (Postfix, from userid 99) id 15D8F10BAC1; Wed, 23 Dec 2015 10:49:47 -0500 (EST) Message-Id: <1450885787.1918354.474995842.261BD65D@webmail.messagingengine.com> X-Sasl-Enc: kT1lOu4t7IM5EpYkI4Piz1k6Cz8hy9pQLsb6GAG93+rg 1450885787 From: Mark Felder To: Julian Elischer , bycn82 Cc: freebsd-ipfw@freebsd.org, Ganbold Tsagaankhuu MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-a93c17cb In-Reply-To: <56780F5A.5060209@freebsd.org> References: <567795F1.5080605@freebsd.org> <56780F5A.5060209@freebsd.org> Subject: Re: layer2 ipfw fwd Date: Wed, 23 Dec 2015 09:49:47 -0600 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2015 15:49:48 -0000 On Mon, Dec 21, 2015, at 08:40, Julian Elischer wrote: > > This is EXACTLY what the cisco/ironport web filter appliance does... > If we had this in FreeBSD nobody would have to reinvent the wheel to build a similar appliance, right? And it might allow someone to build a competing open source FreeBSD-based web filter appliance with this same feature set... -- Mark Felder ports-secteam member feld@FreeBSD.org From owner-freebsd-ipfw@freebsd.org Fri Dec 25 17:36:52 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96154A50EE1 for ; Fri, 25 Dec 2015 17:36:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 58888183F; Fri, 25 Dec 2015 17:36:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-234-233.lns20.per1.internode.on.net [121.45.234.233]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tBPHakG7001924 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 25 Dec 2015 09:36:49 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: layer2 ipfw fwd To: Mark Felder , bycn82 References: <567795F1.5080605@freebsd.org> <56780F5A.5060209@freebsd.org> <1450885787.1918354.474995842.261BD65D@webmail.messagingengine.com> Cc: freebsd-ipfw@freebsd.org, Ganbold Tsagaankhuu From: Julian Elischer Message-ID: <567D7EA9.6050201@freebsd.org> Date: Sat, 26 Dec 2015 01:36:41 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: <1450885787.1918354.474995842.261BD65D@webmail.messagingengine.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Dec 2015 17:36:52 -0000 On 23/12/2015 11:49 PM, Mark Felder wrote: > > On Mon, Dec 21, 2015, at 08:40, Julian Elischer wrote: >> This is EXACTLY what the cisco/ironport web filter appliance does... >> > If we had this in FreeBSD nobody would have to reinvent the wheel to > build a similar appliance, right? And it might allow someone to build a > competing open source FreeBSD-based web filter appliance with this same > feature set... nah...there is SO MUCH MORE to what the ironport does. > >