Date: Thu, 13 Mar 2008 10:34:19 -0500 From: Ronald Roskens <ronr@econet.com> To: snagit@cbpratt.prohosting.com Cc: freebsd-net@freebsd.org Subject: Re: IPFW, DIVERT, and if_bridge Message-ID: <1205422459.62776.43.camel@iresine.sl.econet.com> In-Reply-To: <759F7CF5-D47A-4431-88FF-B40FFDE0E24C@hughes.net> References: <759F7CF5-D47A-4431-88FF-B40FFDE0E24C@hughes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2008-03-13 at 07:16 -0700, Chris wrote: > Hello, > > I posted a similar message to Questions but received no > answer so I'm reposting a paraphrase here to see if anyone > knows. > > I built FreeBSD 7.0 with options DIVERT and if_bridge to > see if I could make snort_inline work with the bridging > firewall I'm building. I found that the divert would not > direct packets to snort_inline which sounded a little like > the experiences people had when they tried to do this > with the pre-6.x bridge. > > Is it still not possible to use divert with if_bridge? Here > is what I'm seeing in ipfw. > > 65000 48 7382 count ip from any to any > 65001 0 0 divert 8300 ip from any to any > 65010 48 7382 allow ip from any to any Yes, it is possible to use divert with if_bridge and ipfw. It sounds like you have not enabled packet filtering on the bridge. I use the following: # /etc/sysctl.conf net.link.ether.ipfw=1 net.link.bridge.ipfw=0 net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1 # ipfw.conf 10000 divert 8000 ip from any to any out via bridge0 > > Thank you, > Chris Pratt > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1205422459.62776.43.camel>