From owner-freebsd-ipfw@freebsd.org Tue Dec 22 14:57:55 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77229A4EC0E for ; Tue, 22 Dec 2015 14:57:55 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 36BAF1F3A; Tue, 22 Dec 2015 14:57:55 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: by mail-vk0-x22f.google.com with SMTP id a188so120308629vkc.0; Tue, 22 Dec 2015 06:57:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=O3yes/PBgWgIYZrpLWBFa/SqOpukn0+AQgx3oF7yJxc=; b=EnsO4VTwrnC5HGGHGlCz37Dp25bCica+rHXVpGKEUVxPRpuNndFCd1aR451mONrTlK PZI+EiYWY6FUpYLBW/mQj0zYzdF2+3+jDkT4tx0P0pT5kFWWUULhMeKvdwfLXmhDIbkk SrtVcMtmEznZihB/BHcqR/8Y2fAo7nFq8ObyllhGh2pFbFk7NCqwD4S/kYrE/LBmX8G2 8IBGUpCeg/TVjDjqaIkQZDWblXMYWSnCzQtGZ1O3C9t6JGKqdo3T21PW/ECv1KOVK1X3 3+yS8OGYDmHiSvwJqE4RCWHx1zY5HgdvTITDXsiWrPoadTfiHC6CP/YjP/k+a+WNxeUl TNmw== MIME-Version: 1.0 X-Received: by 10.31.146.66 with SMTP id u63mr14432164vkd.31.1450796273934; Tue, 22 Dec 2015 06:57:53 -0800 (PST) Received: by 10.103.21.5 with HTTP; Tue, 22 Dec 2015 06:57:53 -0800 (PST) In-Reply-To: <56780F5A.5060209@freebsd.org> References: <567795F1.5080605@freebsd.org> <56780F5A.5060209@freebsd.org> Date: Tue, 22 Dec 2015 22:57:53 +0800 Message-ID: Subject: Re: layer2 ipfw fwd From: bycn82 To: Julian Elischer Cc: Ganbold Tsagaankhuu , "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2015 14:57:55 -0000 Hi Julian, Thanks for the explanation. Since it is on layer2, that means we can differentiate traffic by MAC or other layer2 filters only. e.g , forward the traffic when the type is 0x800 and destination MAC is xx:yy:zz.... I meant the accuracy is a big concern. Regards, Bill Yuan On 21 December 2015 at 22:40, Julian Elischer wrote: > On 21/12/2015 5:47 PM, bycn82 wrote: > > why fwd based on MAC? Can share more info of your requirement? > > > you still decide to FWD based on IP address, but you do it while the > packet is still in the layer 2 bridge. > > let me give you a concrete example > > If I have a bridge between two networks. it is a transparent bridge, in > other words nothing sees the bridge. > However using layer 2 IPFW, I can block packets from side A from getting > to side B. > In addition I can redirect (using ipfw fwd and this patch) packets that > are coming in, from side A to port 80 on side B, to a local proxy or http > filter. > Everything else just flows back and forth across the bridge. > Using IP spoofing/forwarding the proxy filter will create a socket that > pretends to be the side B destination and respond directly, even though it > doesn't have that address. It may in turn open a socket to the original > destination and forward the request, or, maybe it won't, depending on > policy. > But nothing else is aware of its existence. it is as though a segment of > cable started filtering web content. > > This is EXACTLY what the cisco/ironport web filter appliance does... > > > > > On Monday, 21 December 2015, Julian Elischer < > julian@freebsd.org> wrote: > >> On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote: >> >>> Hi, >>> >>> Does ipfw support layer2 fwd to support transparent proxying on bridge? >>> >>> Does similar change like >>> >>> https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html >>> ever get committed? >>> >> I don't believe this was applied.. >> I did similar when I worked for Ironport/Cisco. >> But it's a trade-off between bloat and usefulness. >> >> >>> thanks a lot, >>> >>> Ganbold >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > >