From owner-freebsd-ipfw@freebsd.org  Wed Dec 23 01:03:51 2015
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E47AA4E854
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Wed, 23 Dec 2015 01:03:51 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 355D313AE
 for <freebsd-ipfw@freebsd.org>; Wed, 23 Dec 2015 01:03:50 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from Julian-MBP3.local
 (ppp121-45-234-233.lns20.per1.internode.on.net [121.45.234.233])
 (authenticated bits=0)
 by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tBN13dji028449
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Tue, 22 Dec 2015 17:03:42 -0800 (PST)
 (envelope-from julian@freebsd.org)
Subject: Re: layer2 ipfw fwd
To: bycn82 <bycn82@gmail.com>
References: <CAGtf9xOzJ+cL-W=HP5cd2nyabY=03AgTyFLvDuQWN-xB6KqjCg@mail.gmail.com>
 <567795F1.5080605@freebsd.org>
 <CAC+JH2xXVpnDfa5KUQGZ39uoqSiS5oB72ak6bAeaPqXgyCmd3Q@mail.gmail.com>
 <56780F5A.5060209@freebsd.org>
 <CAC+JH2yCJBQOctzMtnTDiFEbV_dQP3YVZ+k6SwKej3ZpJaeHgw@mail.gmail.com>
Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>,
 Ganbold Tsagaankhuu <ganbold@gmail.com>
From: Julian Elischer <julian@freebsd.org>
Message-ID: <5679F2E6.2090700@freebsd.org>
Date: Wed, 23 Dec 2015 09:03:34 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAC+JH2yCJBQOctzMtnTDiFEbV_dQP3YVZ+k6SwKej3ZpJaeHgw@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Dec 2015 01:03:51 -0000

On 22/12/2015 10:57 PM, bycn82 wrote:
> Hi Julian,
>
> Thanks for the explanation.
>
> Since it is on layer2, that means we can differentiate traffic by MAC or
> other layer2 filters only.
> e.g , forward the traffic when the type is 0x800 and destination MAC is
> xx:yy:zz....
>
> I meant the accuracy is a big concern.
since it is layer 2, it includes layer 3.   IPFW knows how to access 
the layer 3 fields so layer 2 OR 3 may be used to filter.

>
> Regards,
> Bill Yuan
>
>
> On 21 December 2015 at 22:40, Julian Elischer <julian@freebsd.org> wrote:
>
>> On 21/12/2015 5:47 PM, bycn82 wrote:
>>
>> why fwd based on MAC?   Can share more info of your requirement?
>>
>>
>> you still decide to FWD based on IP address, but you do it while the
>> packet is still in the layer 2 bridge.
>>
>> let me give you a concrete example
>>
>> If I have a bridge between two networks. it is a transparent bridge, in
>> other words nothing sees the bridge.
>> However using layer 2 IPFW, I can block packets from side A from getting
>> to side B.
>> In addition I can redirect (using ipfw fwd and this patch) packets that
>> are coming in, from side A to port 80 on side B, to a local proxy or http
>> filter.
>> Everything else just flows back and forth across the bridge.
>> Using IP spoofing/forwarding the proxy filter will create a socket that
>> pretends to be the side B destination and respond directly, even though it
>> doesn't have that address. It may in turn open a socket to the original
>> destination and forward the request, or, maybe it won't, depending on
>> policy.
>> But nothing else is aware of its existence.  it is as though a segment of
>> cable started filtering web content.
>>
>> This is EXACTLY what the cisco/ironport web filter appliance does...
>>
>>
>>
>>
>> On Monday, 21 December 2015, Julian Elischer < <julian@freebsd.org>
>> julian@freebsd.org> wrote:
>>
>>> On 21/12/2015 10:20 AM, Ganbold Tsagaankhuu wrote:
>>>
>>>> Hi,
>>>>
>>>> Does ipfw support layer2 fwd to support transparent proxying on bridge?
>>>>
>>>> Does similar change like
>>>>
>>>> https://lists.freebsd.org/pipermail/freebsd-ipfw/2003-September/000526.html
>>>> ever get committed?
>>>>
>>> I don't believe this was applied..
>>> I did similar when I worked for Ironport/Cisco.
>>> But it's a trade-off between bloat and usefulness.
>>>
>>>
>>>> thanks a lot,
>>>>
>>>> Ganbold
>>>> _______________________________________________
>>>> freebsd-ipfw@freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>>>>
>>>>
>>> _______________________________________________
>>> freebsd-ipfw@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>>>
>>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>