From owner-freebsd-net Fri Nov 1 4:16:49 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2494E37B401 for ; Fri, 1 Nov 2002 04:16:48 -0800 (PST) Received: from smtp010.tiscali.dk (smtp010.tiscali.dk [212.54.64.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C18643E42 for ; Fri, 1 Nov 2002 04:16:42 -0800 (PST) (envelope-from thomas@gielfeldt.dk) Received: from [172.16.0.3] (213.237.34.52.adsl.suoe.worldonline.dk [213.237.34.52]) by smtp010.tiscali.dk (8.12.5/8.12.5) with SMTP id gA1CGYbU020284 for ; Fri, 1 Nov 2002 13:16:34 +0100 (MET) From: Thomas Gielfeldt Subject: Re:[2] Connecting two LANs via VPN and Filtering To: freebsd-net@freebsd.org Date: Fri, 1 Nov 2002 13:21:48 +0100 Lines: 57 Message-ID: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Mailer: Kaufman Mail Warrior 3,61 Final Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Archie Cobbs wrote on 01-11-02 00:14:06: > >Thomas Gielfeldt writes: >> So you probably have to filter via netgraph? > >This can be done with ng_bpf(4). > >-Archie > >__________________________________________________________________________ >Archie Cobbs * Packet Design * http://www.packetdesign.com Okay. I've tried to get an example (from ng_bpf man) up and running but it doesn't seem to work. I could extract that the ether.bridge script i use does the following: ngctl kill bnet0: >/dev/null 2>&1 ngctl kill tap0: >/dev/null 2>&1 ngctl kill rl1: >/dev/null 2>&1 ngctl kill rl1: >/dev/null 2>&1 ifconfig tap0 up || exit 1 ifconfig rl1 up || exit 1 ifconfig rl1 up || exit 1 ngctl mkpeer tap0: bridge lower link0 || exit 1 ngctl name tap0:lower bnet0 || exit 1 ngctl connect rl1: bnet0: lower link1 || exit 1 ngctl connect rl1: bnet0: upper link2 || exit 1 ngctl msg tap0: setpromisc 1 || exit 1 ngctl msg tap0: setautosrc 0 || exit 1 ngctl msg rl1: setpromisc 1 || exit 1 ngctl msg rl1: setautosrc 0 || exit 1 I'm not actually sure what this does, but the bridge works. (I',m not an expert on this so please bare with me) The input from the tap0 should be filtered in a way so that dhcp-requests are dropped. As I could understand, a bpf program takes a node, and creates two more nodes where the packets are sent to depending on whether they match the criterias or not. So what I probably want to do is to make such a bpf program and link the node where the dhcp-packets are NOT sent to the bridge instead of linking the tap0 directly. (Please correct me if I'm wrong). This would probably mean that these four lines should be changed and the bpf-node inserted somewhere. * ngctl mkpeer tap0: bridge lower link0 || exit 1 * ngctl name tap0:lower bnet0 || exit 1 * ngctl connect rl1: bnet0: lower link1 || exit 1 * ngctl connect rl1: bnet0: upper link2 || exit 1 I've tried to read the ng_bpf man but it didn't help that much. Well ... maybe I'm just stupid and need to have drawn in crayons.... so .... do you have any crayons? ;-) Thanks. /Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message