Date: Mon, 21 Dec 2015 22:40:26 +0800 From: Julian Elischer <julian@freebsd.org> To: bycn82 <bycn82@gmail.com> Cc: Ganbold Tsagaankhuu <ganbold@gmail.com>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: layer2 ipfw fwd Message-ID: <56780F5A.5060209@freebsd.org> In-Reply-To: <CAC%2BJH2xXVpnDfa5KUQGZ39uoqSiS5oB72ak6bAeaPqXgyCmd3Q@mail.gmail.com> References: <CAGtf9xOzJ%2BcL-W=HP5cd2nyabY=03AgTyFLvDuQWN-xB6KqjCg@mail.gmail.com> <567795F1.5080605@freebsd.org> <CAC%2BJH2xXVpnDfa5KUQGZ39uoqSiS5oB72ak6bAeaPqXgyCmd3Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21/12/2015 5:47 PM, bycn82 wrote: > why fwd based on MAC? Can share more info of your requirement? you still decide to FWD based on IP address, but you do it while the packet is still in the layer 2 bridge. let me give you a concrete example If I have a bridge between two networks. it is a transparent bridge, in other words nothing sees the bridge. However using layer 2 IPFW, I can block packets from side A from getting to side B. In addition I can redirect (using ipfw fwd and this patch) packets that are coming in, from side A to port 80 on side B, to a local proxy or http filter. Everything else just flows back and forth across the bridge. Using IP spoofing/forwarding the proxy filter will create a socket that pretends to be the side B destination and respond directly, even though it doesn't have that address. It may in turn open a socket to the original destination and forward the request, or, maybe it won't, depending on policy. But nothing else is aware of its existence. it is as though a segment of cable started filtering web content. This is EXACTLY what the cisco/ironport web filter appliance does... > > > On Monday, 21 December 2015, Julian Elischer <julian@freebsd.org > <mailto:julian@freebsd.org>> wrote: > > On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: > > Hi, > > Does ipfw support layer2 fwd to support transparent proxying > on bridge? > > Does similar change like > https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html > ever get committed? > > I don't believe this was applied.. > I did similar when I worked for Ironport/Cisco. > But it's a trade-off between bloat and usefulness. > > > thanks a lot, > > Ganbold > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56780F5A.5060209>