From owner-freebsd-net@FreeBSD.ORG Thu Mar 13 16:22:30 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D70C4106566B for ; Thu, 13 Mar 2008 16:22:30 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from n120.sc0.he.tucows.com (smtpout1077.sc0.he.tucows.com [64.97.144.77]) by mx1.freebsd.org (Postfix) with ESMTP id A70558FC1C for ; Thu, 13 Mar 2008 16:22:30 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from sc0-out03.emaildefenseservice.com (64.97.131.2) by n120.sc0.he.tucows.com (7.2.069.1) id 476BFC810127B6F9 for freebsd-net@freebsd.org; Thu, 13 Mar 2008 16:22:29 +0000 X-SpamScore: 2 X-Spamcatcher-Summary: 2, 0, 0, 0a42cc5372cd4012, 341093f8f759d937, eagletree@hughes.net, -, RULES_HIT:355:379:541:564:599:601:945:966:967:973:980:988:989:1260:1261:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1541:1593:1594:1711:1730:1747:1766:1792:2196:2199:2393:2525:2553:2559:2563:2682:2685:2857:2859:2902:2933:2937:2939:2942:2945:2947:2951:2954:3022:3027:3354:3636:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:4250:4321:4362:4385:4860:5007:7652: 7679, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL:none, DNSBL:none X-Spamcatcher-Explanation: Received: from [192.168.0.3] (dpc6744118153.direcpc.com [67.44.118.153]) (Authenticated sender: eagletree@hughes.net) by sc0-out03.emaildefenseservice.com (Postfix) with ESMTP for ; Thu, 13 Mar 2008 16:22:25 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v753) In-Reply-To: <1205422459.62776.43.camel@iresine.sl.econet.com> References: <759F7CF5-D47A-4431-88FF-B40FFDE0E24C@hughes.net> <1205422459.62776.43.camel@iresine.sl.econet.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chris Pratt Date: Thu, 13 Mar 2008 09:12:46 -0700 To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.753) Subject: Re: IPFW, DIVERT, and if_bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Mar 2008 16:22:31 -0000 On Mar 13, 2008, at 8:34 AM, Ronald Roskens wrote: > On Thu, 2008-03-13 at 07:16 -0700, Chris wrote: >> Hello, >> >> I posted a similar message to Questions but received no >> answer so I'm reposting a paraphrase here to see if anyone >> knows. >> >> I built FreeBSD 7.0 with options DIVERT and if_bridge to >> see if I could make snort_inline work with the bridging >> firewall I'm building. I found that the divert would not >> direct packets to snort_inline which sounded a little like >> the experiences people had when they tried to do this >> with the pre-6.x bridge. >> >> Is it still not possible to use divert with if_bridge? Here >> is what I'm seeing in ipfw. >> >> 65000 48 7382 count ip from any to any >> 65001 0 0 divert 8300 ip from any to any >> 65010 48 7382 allow ip from any to any > > Yes, it is possible to use divert with if_bridge and ipfw. It sounds > like you have not enabled packet filtering on the bridge. > > I use the following: > > # /etc/sysctl.conf > net.link.ether.ipfw=1 > net.link.bridge.ipfw=0 > net.link.bridge.pfil_bridge=0 > net.link.bridge.pfil_member=1 > > # ipfw.conf > 10000 divert 8000 ip from any to any out via bridge0 Thanks very much. I had commented out two of these. The reason was that I was unable to differentiate between the local interface and the bridge (this is from memory). The reason isn't relevant anymore so I've set them correctly. The divert appears to work fine now as shown. 65000 5 288 count ip from any to any 65001 5 288 divert 8300 ip from any to any 65010 0 0 allow ip from any to any Thank you very much. > >> >> Thank you, >> Chris Pratt >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net- >> unsubscribe@freebsd.org" >