From owner-freebsd-net@FreeBSD.ORG Mon Sep 22 17:26:43 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 359CF106566C for ; Mon, 22 Sep 2008 17:26:43 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outH.internet-mail-service.net (outh.internet-mail-service.net [216.240.47.231]) by mx1.freebsd.org (Postfix) with ESMTP id 1BEC98FC12 for ; Mon, 22 Sep 2008 17:26:35 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id EC41016CE; Mon, 22 Sep 2008 10:26:35 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 1F4BA2D6013; Mon, 22 Sep 2008 10:26:35 -0700 (PDT) Message-ID: <48D7D54A.1020709@elischer.org> Date: Mon, 22 Sep 2008 10:26:34 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20080919075633.GA4333@garage.freebsd.pl> <20080919121602.GC4333@garage.freebsd.pl> <200809191538.02698.max@love2party.net> <20080922102209.GB2468@garage.freebsd.pl> <48D79E1C.3060003@inse.ru> <20080922134830.GA6797@garage.freebsd.pl> <48D7A797.6070009@inse.ru> <20080922142452.GC6797@garage.freebsd.pl> In-Reply-To: <20080922142452.GC6797@garage.freebsd.pl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Max Laier , Roman Kurakin , freebsd-net@freebsd.org Subject: Re: Firewall redirect doesn't work any more... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 17:26:43 -0000 Pawel Jakub Dawidek wrote: >> And what about ipfw variant? > > For the first (bridge) case ipfw didn't work at all. No packets were > redirected. I haven't tried for the gateway case, because pf works > there. ipfw forwarding is disabled for bridge and L2 cases. (I think the man page says so.) At Ironport we added some small patche sto allow this to occur. it is relatively simple.. (less than 10 lines) When ipfw returns that a packet to the bridge, that has been marked as 'redirected', then you accept it to the IP stack as if it was addressed to the local machine. You then make sure that in L3 ipfe processing, you hit the same fwd rule, and this time it is sent to the right place. It does require that ipfw see the packet twice, but it works. A further hack would be to add code in the IP stack so that a packet tagged as redirected from the bridge would skip ipfw in the IP stack and go direct to the redirection. (but that may open security issues).