From owner-freebsd-net@FreeBSD.ORG Fri May 23 03:05:39 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C5691065676 for ; Fri, 23 May 2008 03:05:39 +0000 (UTC) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.freebsd.org (Postfix) with ESMTP id 08C1F8FC16 for ; Fri, 23 May 2008 03:05:38 +0000 (UTC) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=daemon.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JzNb2-000JEU-ER; Fri, 23 May 2008 11:05:32 +0800 Message-ID: <4836347B.9050808@micom.mng.net> Date: Fri, 23 May 2008 11:05:31 +0800 From: Ganbold User-Agent: Thunderbird 2.0.0.12 (X11/20080304) MIME-Version: 1.0 To: Julian Elischer References: <483522F3.4090200@micom.mng.net> <4835AB38.40100@elischer.org> In-Reply-To: <4835AB38.40100@elischer.org> X-Enigmail-Version: 0.95.6 OpenPGP: id=78F6425E Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ipfw fwd layer2/ftp proxy X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 May 2008 03:05:39 -0000 Julian Elischer wrote: > Ganbold wrote: >> Hi there, >> >> I'm having trouble allowing ftp connections through ipfw (default >> deny) enabled bridge firewall. >> I'm wondering whether it is possible to have some kind of transparent >> ftp proxy in such case. >> >> Is there anyway I can allow ftp proxying without layer2 forwarding on >> ipfw bridge? >> >> I thought of forwarding packets in layer2, however it seems like ipfw >> still doesn't support that. >> I saw old patches of luigi@ and if somebody already has adapted that >> patch for RELENG_6/7 please let me know. > > > I have such patches for the old 'bridge' code that allow bridges to > intercept IP sessions but not for the new 'if_bridge' code. > The trick is to make a 'fwd localhost' on the Layer2 ipfw pass > to result in the packet being passed to the IP stack regardless > of where the header says it should go. > > In the IP stack a similar 'fwd localhost' rule (maybe the same one) > will also trigger on the Layer 3 pass, and actually cause teh session > to connect. > > For fully transparent (in both directions) you need to alter the IP > code to allow you to bind the outgoing socket to a non-local address, > and to capture the return packets you leed the L2 pirewall pass to > do a test for 'uid' which has the side affect of noticing whether or > not there is a local socket that matches a packet, even if it has > a non local address on it. Can you share your patch for old bride code? Yesterday I tried to look at ip_fw2.c and ip_input.c codes, but it is still new to me. thanks, Ganbold > > > >> >> I know my last try is to deny everything I don't want and then allow >> the rest. However I would >> like to make it work in current configuration. >> Please let me know your ideas. >> >> thanks in advance, >> >> Ganbold >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > -- Your fault - core dumped