From owner-freebsd-net Mon Feb 5 11:37:24 2001 Delivered-To: freebsd-net@freebsd.org Received: from wyattearp.stanford.edu (wyattearp.Stanford.EDU [171.64.180.171]) by hub.freebsd.org (Postfix) with ESMTP id 6B38F37B491; Mon, 5 Feb 2001 11:37:02 -0800 (PST) Received: (from richw@localhost) by wyattearp.stanford.edu (8.9.3/8.9.3) id LAA50425; Mon, 5 Feb 2001 11:36:59 -0800 (PST) (envelope-from richw) Date: Mon, 5 Feb 2001 11:36:59 -0800 (PST) From: Rich Wales X-Sender: richw@wyattearp.stanford.edu To: Julian Elischer Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: netgraph router? (was Re: BRIDGE breaks ARP?) In-Reply-To: <3A7EE540.AA3A1AF0@elischer.org> Message-ID: <20010205191633.48479.richw@wyattearp.stanford.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Julian Elischer wrote: > some people run a bridge between two ethernet segments, > but give them different IP netranges, . . . I suppose I could do this, provided I could specify a more-or-less arbitrary range or set of IP addresses for each segment. I can't do conventional IP subnetting (one subnet for each segment), because this approach takes up too many addresses for overhead (two addresses for the bridge, plus wasted addresses with "all zeroes" and "all ones" in the low-order host bits, and my DSL service only gives me five IP addresses to play with as it is). > so how does bridging help? By allowing my desktop machine to use a publicly accessible Internet address, even though there is a firewall between it and the outside. My current bridge setup, in conjunction with IPFIREWALL, already does =almost= everything I need. The biggest problem I'm having right now is with ARP replies from (=not= through) the bridge box itself -- and I assume that will eventually get fixed, and I can work around that bug with an "arp -s" command until it is fixed. I'd also prefer being able to filter (and, potentially, block) ARP packets going through the bridge, but that feature isn't crucial for me, and I can live without it if necessary. > In fact, it is possible you could run both the 10.x.x.x. net > and the 'real' net on the same interface/cable and use the > firewall to NAT them as well . . . . As long as I don't have to depend on NAT for access to my desktop. As I explained earlier, I need to access some services from my desktop (Kerberos-based authentication and encryption stuff) that demand a straight end-to-end connection (no NAT, web proxies, etc.). Getting back to my original question, though, I need some help under- standing how I can =filter= IP packets going through a "netgraph" bridge -- that is, allow or block packets or streams based on things like the source and destination IP addresses, TCP/UDP port numbers, etc. -- the kind of thing which IPFIREWALL and IPFILTER can do, and which I (possibly mis?)understood that NETGRAPH cannot currently do. I thought you were saying that there was in fact a way to do this sort of filtering on a netgraph bridge. If not, then the netgraph facility won't help me any. Sorry if I misunderstood your earlier message, or if you misunderstood my requirements. Rich Wales richw@webcom.com http://www.webcom.com/richw/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message