From owner-freebsd-net@FreeBSD.ORG Thu Mar 13 15:52:18 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 142C11065675 for ; Thu, 13 Mar 2008 15:52:18 +0000 (UTC) (envelope-from ronr@econet.com) Received: from mx1.econet.com (hubble.sl.econet.com [208.70.186.171]) by mx1.freebsd.org (Postfix) with ESMTP id B86AA8FC2D for ; Thu, 13 Mar 2008 15:52:17 +0000 (UTC) (envelope-from ronr@econet.com) X-Virus-Scanned: amavisd-new at econet.com Received: from mx1.econet.com ([127.0.0.1]) by localhost.sl.econet.com (hubble.sl.econet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSggirpqJnp0; Thu, 13 Mar 2008 10:34:24 -0500 (CDT) Received: from scalix.ops.econet.com (scalix.sl.econet.com [172.29.255.23]) by mx1.econet.com (Postfix) with ESMTP id 0661721042; Thu, 13 Mar 2008 10:34:24 -0500 (CDT) Received: from [192.168.32.69] (iresine.sl.econet.com [192.168.32.69]) by scalix.ops.econet.com (Postfix) with ESMTP id 2BE9184943D; Thu, 13 Mar 2008 10:40:19 -0500 (CDT) From: Ronald Roskens To: snagit@cbpratt.prohosting.com In-Reply-To: <759F7CF5-D47A-4431-88FF-B40FFDE0E24C@hughes.net> References: <759F7CF5-D47A-4431-88FF-B40FFDE0E24C@hughes.net> Content-Type: text/plain Date: Thu, 13 Mar 2008 10:34:19 -0500 Message-Id: <1205422459.62776.43.camel@iresine.sl.econet.com> Mime-Version: 1.0 X-Mailer: Evolution 2.10.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: IPFW, DIVERT, and if_bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 15:52:18 -0000 On Thu, 2008-03-13 at 07:16 -0700, Chris wrote: > Hello, > > I posted a similar message to Questions but received no > answer so I'm reposting a paraphrase here to see if anyone > knows. > > I built FreeBSD 7.0 with options DIVERT and if_bridge to > see if I could make snort_inline work with the bridging > firewall I'm building. I found that the divert would not > direct packets to snort_inline which sounded a little like > the experiences people had when they tried to do this > with the pre-6.x bridge. > > Is it still not possible to use divert with if_bridge? Here > is what I'm seeing in ipfw. > > 65000 48 7382 count ip from any to any > 65001 0 0 divert 8300 ip from any to any > 65010 48 7382 allow ip from any to any Yes, it is possible to use divert with if_bridge and ipfw. It sounds like you have not enabled packet filtering on the bridge. I use the following: # /etc/sysctl.conf net.link.ether.ipfw=1 net.link.bridge.ipfw=0 net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1 # ipfw.conf 10000 divert 8000 ip from any to any out via bridge0 > > Thank you, > Chris Pratt > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"