From owner-freebsd-net@FreeBSD.ORG Thu May 22 17:19:50 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 028081065675 for ; Thu, 22 May 2008 17:19:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outM.internet-mail-service.net (outm.internet-mail-service.net [216.240.47.236]) by mx1.freebsd.org (Postfix) with ESMTP id DBE6F8FC15 for ; Thu, 22 May 2008 17:19:49 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 5F5FD241E; Fri, 23 May 2008 05:29:02 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 866802D600E; Thu, 22 May 2008 10:19:49 -0700 (PDT) Message-ID: <4835AB38.40100@elischer.org> Date: Thu, 22 May 2008 10:19:52 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Ganbold References: <483522F3.4090200@micom.mng.net> In-Reply-To: <483522F3.4090200@micom.mng.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ipfw fwd layer2/ftp proxy X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2008 17:19:50 -0000 Ganbold wrote: > Hi there, > > I'm having trouble allowing ftp connections through ipfw (default deny) > enabled bridge firewall. > I'm wondering whether it is possible to have some kind of transparent > ftp proxy in such case. > > Is there anyway I can allow ftp proxying without layer2 forwarding on > ipfw bridge? > > I thought of forwarding packets in layer2, however it seems like ipfw > still doesn't support that. > I saw old patches of luigi@ and if somebody already has adapted that > patch for RELENG_6/7 please let me know. I have such patches for the old 'bridge' code that allow bridges to intercept IP sessions but not for the new 'if_bridge' code. The trick is to make a 'fwd localhost' on the Layer2 ipfw pass to result in the packet being passed to the IP stack regardless of where the header says it should go. In the IP stack a similar 'fwd localhost' rule (maybe the same one) will also trigger on the Layer 3 pass, and actually cause teh session to connect. For fully transparent (in both directions) you need to alter the IP code to allow you to bind the outgoing socket to a non-local address, and to capture the return packets you leed the L2 pirewall pass to do a test for 'uid' which has the side affect of noticing whether or not there is a local socket that matches a packet, even if it has a non local address on it. > > I know my last try is to deny everything I don't want and then allow the > rest. However I would > like to make it work in current configuration. > Please let me know your ideas. > > thanks in advance, > > Ganbold >